clemsontiger Absent Member.
Absent Member.
7731 views

MongoDB Script and Node.js false positives?

Not sure why, but WebInspect has been flagging our web applications with the fllowing:

 

Critical: Server Side Script Injection

 

WebInspect has discovered a critical MongoDB Script Injection Vulnerability at......

 

and

Critical: Server Side Script Injection

WebInspect has discovered a critical Node.js Script Injection vulnerability at....

 

 

Our applications do not, and never have, used Node.js nor MongoDB. Also not using php.

 

why do they keep showing up as issues?

Labels (1)
Tags (3)
0 Likes
7 Replies
AutoDan Absent Member.
Absent Member.

Re: MongoDB Script and Node.js false positives?

Hi HP Technical Support,

As a number of your customers are experiencing this issue are you able to provide some advice and/or a solution.

Of course these could all just be makred as false positives after a scan is complete, though i believe these checks are increasing our scan durations.

Please advise,

Dan

 

 

Fhabte Absent Member.
Absent Member.

Re: MongoDB Script and Node.js false positives?

Hi HP Tech Support,

I would also to add,

We are in the process of customising our WebInspect scan policy via Policy Manager. We want to disable checks related to MongoDB Script and Node.js. The issue we are experiencing is not being able to find the Vulnerability ID relating to the check we would like removed. We have searched using all of the criteria available to us through Policy Manager but no luck.

 Please advise

Thanks

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: MongoDB Script and Node.js false positives?

clemsontiger;

 

Based on the text you provided, it appears this complaint is for the following two checks.

  • check# 11301 - MongoDB Script Injection Attack
  • check# 11302 - Node.js Script Injection Attack

Neither of these are enabled in the Standard (default) scan Policy.  If you are using a custom Policy (or perhaps the All Checks policy) and they are causing trouble, please locate them and disable them using Policy Manager.  Be aware that if you are then also using a saved scan settings file with this Policy selected, you may need to open and edit that file in order to update that Policy selection to the new customized one.  This can be done under the Edit menu > Manage Settings > Edit > Policy panel.

As for these being false positives, I suspect it is based on whatever they flag on.  Although their name may say one particular vendor or brand, we have had checks that trigger successfully on other brands later down the road.  I assume that is because the popular name for the issue was pegged when it was first disclosed publicly and it has stuck with it ever since.  At other times, the server just happens to respond in such a way that it matches the expected signature of the vulnerable app.

If you need to mark this as a False Positive, you can Filter it from future scans of the same site by using the False Positives Import function.  This feature is available towards the end of either Scan Wizard (Guided or Basic), but if you miss it then you may enable it later from the scan Dashboard > False Positives > Import.  Essentially, you have to identify the prior scan(s) that had the FP's marked, and the current scan then filters those items out.

When marking a FP, there is an option to report it to HP Development.  This is sent anonymously as feedback, similar to the HP Telemetry feature.  However, for more direct complaints, I would generate a Single Session Report (via right-click in Site Tree pane) and forward that detailed report to Fortify Support (support.fortify.com) to take over to our research team.  Support might be able to review the HTTP Response and dialog with that group to identify why your system happens to flag with this vulnerability, since the Policy Manager does not expose that level of background detail to the user.

Fhabte, I located these checks by opening the included Policy Manager tool > Search > "Vulnerability Name" + "contains" + "mongo" or "node.js".  In the WebInspect UI, the user could have found the same detail by high-lighting that vulnerability > Session Info view (vertical control on-screen) > Vulnerability pane.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Regular Contributor.. Mente Regular Contributor..
Regular Contributor..

Re: MongoDB Script and Node.js false positives?

Hi Hans,

I think the problem we're having is that we can not locate the MongoDB entries within the policies, as per below, to disable them.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: MongoDB Script and Node.js false positives?

That definitely clarifies your trouble and it is some defect in your installation or system environment.  I would try these steps to clear it, not because I know they definitely will work, but because they will most likely help it.

 

  1. Run SmartUpdate, let it update everything, then see if Policy Manager's results have changed.
  2. Rename or delete the /dat/ folder found within your WebInspect installation folder.  This rebuilds on load.
  3. Re-run the WebInspect installer to try the Repair option.
  4. Uninstall WebInspect (without selecting Remove All Data and Deactivate License), then reinstall and SmartUpdate.
  5. Contact Fortify Support to really dig into your situation.  (support.fortify.com).

 

Also, try manually browsing to the following location on the Attack Groups view in Policy Manager to see if they are visible from that perspective.

(Standard Policy> Attack Groups > General Aplication Testing > (scroll down to find both checks alphabetically)


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
AutoDan Absent Member.
Absent Member.

Re: MongoDB Script and Node.js false positives?

Hi Hans,

We are having the same issue as described by Mente in that we are unable to see vulnerability entries for MongoDB and Node.js.

We have our own Custom Scan Policy based on the OWASP Top 10 2013, which currently includes these checks, though we have no way of removing them.

We are using AMP in combination with WebInspect and as such we access Policy Manager through the AMP Console. Not sure how much of a difference this makes. I have checked all the scan policies available and these vulnerabilities are not available in any of them (See attached All Checks).

Cheers,

Dan

Micro Focus Expert
Micro Focus Expert

Re: MongoDB Script and Node.js false positives?

              

 
Since you are using AMP, it is quite likely your checks database does not reflect the current state for other customers.  The reason being is that AMP has been superceded by WebInspect Enterprise, (WIE) which is now on its 7th release as version 10.50 on 11/16/2015.  I know that around the release of WebInspect 10.30 or 10.40 they began blocking the use of the newer WebInspect as AMP Sensors, effectively freezing the AMP scan capabilities at that time-point.
 
Since these particular checks for Mongo and Node.js were first introduced in December 2012, they arrived after the last release of AMP (v9.20).  It could be possible that they either will not download via SmartUpdate or that they would not be available due to dependencies with the newer WebInspect/Sensor versions that are not installed.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.