Fix false positives on ID command

wapiti-scanner · Feb 18, 2025 · 1de29dd · 1de29dd
1 parent 90ed601
commit 1de29dd
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/wapitiCore/data/attacks/execPayloads.ini b/wapitiCore/data/attacks/execPayloads.ini
@@ -1,24 +1,24 @@
 [DEFAULT]
 payload = None
-; rules will be used as a boolean AND if there are multiple
+; rules will be used as a boolean OR if there are multiple
 rules = None
 description = None
 status = vulnerability
 type = pattern
 
 [no_escape]
 payload = id
-rules = uid=
-    gid=
-    groupes=
+rules = ' gid='
+    ' groupes='
+    ' groups='
 description = Command execution
 status = vulnerability
 
 [no_escape_owasp_benchmark]
 payload = id
-rules = uid&#x3d;
-    gid&#x3d;
-    groupes&#x3d;
+rules = ' gid&#x3d;'
+    ' groupes&#x3d;'
+    ' groups&#x3d;'
 description = Command execution
 status = vulnerability