Source Code Disclosure - File inclusion can be false positive?

[Hashim Mohammed]

While running zap Active Scan on my web application I get this alert "Source Code Disclosure - File Inclusion". But in response "400-Bad request" and returns an error message as JSON. I have cross checked the message, there nothing vulnerable and no source code is disclosed. I am new to ZAP and am kind of stuck here. Any kind of help is appreciated.

Thank you.

ps: I have try ZAP test again with "null" as return message, still I am getting the same alert.

[kingthorin+owaspzap]

With out the specific request, response, and alert details there’s not much we can say at this point.

If you’re able to share the details feel free to attach them to a new issue: https://github.com/zaproxy/zaproxy/issues/new

[Hashim Mohammed]

Can you please tell me how this File Inclusion attacks works and what are the possible outcomes(Response). In my case, it returns only Exception message as JSON. I couldn't find any source code disclosure with that response.  But without proper details I can't conclude it as false positive.

[Hashim Mohammed]

I have attached the response and alert detils, kindly please check it.

On Thursday, 12 April 2018 21:42:02 UTC+5:30, kingthorin+owaspzap wrote:

[Jyotsna Ahuja]

Were you able to resolve this? I am facing a similar issue. 

Thanks

[Peter Hauschulz]

At the bottom of the response body it doesn't disclose full source code, but does disclose some method names, libraries and lines. 

It's up to you to decide whether that is a false positive or not, but I would consider it 'Application Error Disclsoure' at least and to be a genuine issue that needs fixing.

[Jyotsna Ahuja]

Thanks Peter. It does not disclose anything. Its a normal response for a public GET API. But I got your point. Thanks for clarifying.

[kingthorin+owaspzap]

https://03365941431588780809.googlegroups.com/attach/6e87b2a7cffae/FileInclusionRespnse.PNG?part=0.1&view=1&vt=ANaJVrGEzEnhuSQyFInuJwjpTS7NLEpqED4C4tQjntOmtOUpxF2idaJXXzl8cqRhtkDob-XMK1kFAxxcAUm4YnUBzE-i8_3l6cwR2AKWj9sNKkbqdLK_SQ4

is a normal API response? It's leaking what parser is being used, it's leaking version info, etc. While it technically might not be "source code" it is information that end users don't need and that you shouldn't want adversaries to have.