ZAP format string error

2,122 views
Skip to first unread message

amazingda...@gmail.com

unread,
Sep 14, 2016, 2:16:40 PM9/14/16
to OWASP ZAP User Group
Hi All,

The ZAP tool has reported a format string error for our asmx web service application. I am trying to determine if this is a real error or a false positive. 

Medium (Medium)Format String Error

Description

A Format String error occurs when the submitted data of an input string is evaluated as a command by the application.

URL

https://myhost.com/demo/myservice.asmx

    Parameter

xmlns:soapenv

    Attack

ZAP

Instances

1

Solution

Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable.

Other information

Potential Format String Error. The script closed the connection on a /%s

Reference

https://www.owasp.org/index.php/Format_string_attack

CWE Id

134

WASC Id

6


I have tried to call the following URLs via a browser


Each will return the standard bad request html from IIS. 

Request format is unrecognized. 

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: Request format is unrecognized.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 


Stack Trace:


[InvalidOperationException: Request format is unrecognized.]

   System.Web.Services.Protocols.WebServiceHandlerFactory.CoreGetHandler(Type type, HttpContext context, HttpRequest request, HttpResponse response) +169729

   System.Web.Services.Protocols.WebServiceHandlerFactory.GetHandler(HttpContext context, String verb, String url, String filePath) +209

   System.Web.Script.Services.ScriptHandlerFactory.GetHandler(HttpContext context, String requestType, String url, String pathTranslated) +48

   System.Web.MaterializeHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +339

   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155


There is a stack trace and an 'unhandled exception' but it is also normal. You only get this stack trace when you call the service from the localhost, it will return a generic error with no trace from a remote host. Is this the reason that ZAP is reporting the string format error?  

I have also tried passing bad strings in the actual SOAP request to the ASMX but I get no unusual errors either.   If I can understand what ZAP is sending to the service, and what it is interpreting as an error in the result then I can either fix or ignore this error.

Thanks

kingthorin+owaspzap

unread,
Sep 14, 2016, 4:24:01 PM9/14/16
to OWASP ZAP User Group
The source for the format string scanner is here: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/FormatString.java if you want to understand exactly what the particular scan rule is doing/sending.

I'm guessing it's because your app has some problem filtering or processing the input and returns a 500 - Internal Server Error. If the input was handled gracefully by the server/code then no 500 - Internal Server Error would occur.

amazingda...@gmail.com

unread,
Sep 15, 2016, 2:47:27 PM9/15/16
to OWASP ZAP User Group
Thanks for the quick response.   I looked at the code and was able to determine what it was doing and reproduce it.     In this case it is sending a string to the URL, and if it receives a HTTP 500 response it determines it is an error as you said. 

This is a false positive in this case, and will return an error for any Microsoft ASMX based soap service running on IIS as it doesn't even get to custom code on the server side. 

I noticed in the code that you make the call first with a non format string string 'ZAP', but the code doesn't check the response. This may be a bug. I think that it is safe to ignore the string format error if the behavior is the same with the ZAP input string and the %s input string.   

Here is some curl output from my testing. I removed one or two IPS/URLS etc. 

MAC:~/Temp$ cat zap2.txt
zap
MAC:~/Temp$ curl -d@zap2.txt -v https://myhost.com/demo/myservice.asmx
* Connected to myhost.com (1.1.1.1) port 443 (#0)
...
> POST /demo/myservice.asmx HTTP/1.1
> Host: myhost.com
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Length: 3
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 3 out of 3 bytes
< HTTP/1.1 500 Internal Server Error
< Cache-Control: private,no-cache, no-store, must-revalidate, private
< Content-Type: application/soap+xml; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-AspNet-Version: 4.0.30319
< X-Powered-By: ASP.NET
< X-Frame-Options: DENY
< X-XSS-Protection: 1
< X-Content-Type-Options: nosniff
< Date: Thu, 15 Sep 2016 18:27:43 GMT
< Content-Length: 509
<
* Connection #0 to host myhost.com left intact


<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Receiver</soap:Value></soap:Code><soap:Reason><soap:Text xml:lang="en">Server was unable to process request. ---&gt; Data at the root level is invalid. Line 1, position 1.</soap:Text></soap:Reason><soap:Detail /></soap:Fault></soap:Body></soap:Envelope>


MAC:~/Temp$ cat zap.txt
%s
MAC:~/Temp$ curl -d@zap.txt -v  https://myhost.com/demo/myservice.asmx
* Connected to myhost.com (1.1.1.1) port 443 (#0)


...
> POST /demo/myservice.asmx HTTP/1.1
> Host: myhost.com
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Length: 2
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 2 out of 2 bytes
< HTTP/1.1 500 Internal Server Error
< Cache-Control: private,no-cache, no-store, must-revalidate, private
< Content-Type: application/soap+xml; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-AspNet-Version: 4.0.30319
< X-Powered-By: ASP.NET
< X-Frame-Options: DENY
< X-XSS-Protection: 1
< X-Content-Type-Options: nosniff
< Date: Thu, 15 Sep 2016 18:27:56 GMT
< Content-Length: 509
<
* Connection #0 to host myhost.com left intact


<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Receiver</soap:Value></soap:Code><soap:Reason><soap:Text xml:lang="en">Server was unable to process request. ---&gt; Data at the root level is invalid. Line 1, position 1.</soap:Text></soap:Reason><soap:Detail /></soap:Fault></soap:Body></soap:Envelope>

Reply all
Reply to author
Forward
0 new messages