From 64b08011490883a993caad78afac92fc87ab3598 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Tue, 6 Feb 2024 10:34:00 +0100 Subject: [PATCH 1/3] :bug: fix wfuzz, issue #7863 --- dojo/tools/wfuzz/parser.py | 1 + unittests/scans/wfuzz/issue_7863.json | 14 ++++++++++++++ unittests/tools/test_wfuzz_parser.py | 10 ++++++++++ 3 files changed, 25 insertions(+) create mode 100644 unittests/scans/wfuzz/issue_7863.json diff --git a/dojo/tools/wfuzz/parser.py b/dojo/tools/wfuzz/parser.py index 271b7d208c0..df2ae098695 100644 --- a/dojo/tools/wfuzz/parser.py +++ b/dojo/tools/wfuzz/parser.py @@ -17,6 +17,7 @@ class WFuzzParser(object): "401": "Medium", "407": "Medium", "403": "Medium", + "404": "Medium" } def get_scan_types(self): diff --git a/unittests/scans/wfuzz/issue_7863.json b/unittests/scans/wfuzz/issue_7863.json new file mode 100644 index 00000000000..e98b8ad9f08 --- /dev/null +++ b/unittests/scans/wfuzz/issue_7863.json @@ -0,0 +1,14 @@ +[ + { + "chars": 2823, + "code": 404, + "payload": "/server-status | GET /server-status HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Wfuzz/3.1.0\nHost: example.com\n\n", + "lines": 0, + "location": "", + "method": "GET", + "post_data": [], + "server": "", + "url": "https://example.com/server-status", + "words": 60 + } +] \ No newline at end of file diff --git a/unittests/tools/test_wfuzz_parser.py b/unittests/tools/test_wfuzz_parser.py index ff34c93788b..ef826921f9d 100644 --- a/unittests/tools/test_wfuzz_parser.py +++ b/unittests/tools/test_wfuzz_parser.py @@ -37,3 +37,13 @@ def test_one_dup_finding(self): for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual(4, len(findings)) + + def test_issue_7863(self): + testfile = open("unittests/scans/wfuzz/issue_7863.json") + parser = WFuzzParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + self.assertEqual(1, len(findings)) + self.assertEqual("Medium", findings[0].severity) From 7d73a310316c2ed40c71668e2f64814f2202f011 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Tue, 6 Feb 2024 10:41:21 +0100 Subject: [PATCH 2/3] add 302 --- dojo/tools/wfuzz/parser.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dojo/tools/wfuzz/parser.py b/dojo/tools/wfuzz/parser.py index df2ae098695..a19cd869bd8 100644 --- a/dojo/tools/wfuzz/parser.py +++ b/dojo/tools/wfuzz/parser.py @@ -13,11 +13,12 @@ class WFuzzParser(object): # table to match HTTP error code and severity SEVERITY = { "200": "High", - "500": "Low", + "302": "Low", "401": "Medium", - "407": "Medium", "403": "Medium", - "404": "Medium" + "404": "Medium", + "407": "Medium", + "500": "Low" } def get_scan_types(self): From 417588b311631007889ce698b2d1f00bb9196aed Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Tue, 6 Feb 2024 10:51:23 +0100 Subject: [PATCH 3/3] update docs --- docs/content/en/integrations/parsers/file/wfuzz.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/en/integrations/parsers/file/wfuzz.md b/docs/content/en/integrations/parsers/file/wfuzz.md index 2aa4add793b..1893c359bd2 100644 --- a/docs/content/en/integrations/parsers/file/wfuzz.md +++ b/docs/content/en/integrations/parsers/file/wfuzz.md @@ -9,8 +9,10 @@ The return code matching are directly put in Severity as follow(this is hardcode HTTP Return Code | Severity -----------------|--------- 200 | High +302 | Low 401 | Medium 403 | Medium +404 | Medium 407 | Medium 500 | Low