false positive from passive scan for Timestamp Disclosure - Unix for uuids

See original GitHub issue

Describe the bug

We have resources that are in the form of a uuid

To Reproduce

Create a web service that serves the raw content of https://hg.mozilla.org/mozilla-central/raw-file/tip/xpcom/base/nsISupports.idl
Create a passive scan of that single file
See a timestamp disclosure complaint for 00000000

Expected behavior UUIDs or things that are close enough to uuids should not be treated as timestamps.

Additional context

Here’s the relevant content from the file:

[scriptable, uuid(00000000-0000-0000-c000-000000000046)]

Would you like to help fix this issue? Yes

Issue Analytics

State:
Created 2 years ago
Comments:7 (6 by maintainers)

Top GitHub Comments

1reaction

thc202commented, Oct 15, 2021

True, that’s a value that could always be ignored.

1reaction

psiinoncommented, Oct 15, 2021

Or we could check for all zeros as a special case - thats unlikely to be a real timestamp 😃

Top Results From Across the Web

False Positives for Timestamp Disclosure · Issue #7057 - GitHub

Run an active scan on a website containing the semantic offline stylesheet (sorry don't have an example site); See false positives. Expected ...

Timestamp Disclosure - OWASP ZAP

Solution. Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

Disable the DAST Unix Timestamp Vulnerability Check - GitLab

The Unix Timestamp Disclosure vulnerability should be disabled by default because it often causes False Positive results.

Timestamp Disclosure - Unix - ScanRepeat

A timestamp disclosed by the application server or web server can be used to retrieve other sensitive information e.g. when used as a...

ICMP Timestamp Response and Request Vulnerability Fix

The Vulnerabilities in ICMP Timestamp Request is prone to false positive reports by most vulnerability assessment solutions. AVDS is alone in using behavior ......