Skip to content

🐞 False positive detection due to incorrect error handling #44

New issue
New issue
Open
Open
🐞 False positive detection due to incorrect error handling#44
@urbanadventurer

Description

@urbanadventurer
urbanadventurer
opened on Apr 30, 2021

Problem

When HTTP connections fail droopescan reports the test as a positive result, e.g. it found a module.

5 GET requests to detect modules, such as the following, timed out without a response. These are displayed in the output as found.

GET /sites/default/modules/content_glider/content_glider.module HTTP/1.1

Recommendation

If the connection fails it should retry for a set number of times.

Environment

I'm using Kali with the latest version of droopescan that is current with master branch.

Usage

I used the following command. This connected to the Burp proxy.

python3 ./drupwn --target https://xxx --bauth asdfsadfsadfsadf== --version 8 --mode enum --proxy 127.0.0.1:8080 --log

# Logs

The log is as follows. All Modules found were false positives.

============ Themes ============

[+] seven
[+] stark
[+] bartik
[+] classy

============ Custom Themes ============


============ Default files ============

[+] /web.config (403)
[+] /robots.txt (200)
[+] /update.php (403)
[+] /install.php (200)

============ Modules ============

[+] HWCTravel
[+] popups_reference
[+] imageslider
[+] content_glider
[+] active_tags


============ Custom Modules ============


============ Nodes ============

https://xxx/node/491
https://xxx/node/675

============ Users ============

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions