False positive issues

[MolowoXyz]

When i used your tool,it gives false positives to the website i scanned.I thought it is zero false positive.Kindly improve on the tool because of your reputation.

[stefan-stojanovic-s]

There is no such tool that will give you 0% false positives. That's why you use more than one tool for the job.
This is not an issue, nor a problem related to repo. The tool is awesome

[derekmpage]

See https://github.com/fullhunt/spring4shell-scan/blob/master/spring4shell-scan.py#L160 - the tool says that unless it gets a HTTP 200 or HTTP 404, the system is vulnerable. This is a very bad assumption. How about a WAF or any other layer returning a 403 (access denied) or 400 (bad request)?

Applied following diff for better debugging:

diff --git a/spring4shell-scan.py b/spring4shell-scan.py
index 7c911a7..f25dd89 100755
--- a/spring4shell-scan.py
+++ b/spring4shell-scan.py
@@ -158,6 +158,7 @@ def test_url_cve_2022_22965(url):
data={parameter: value},
proxies=proxies)
if r.status_code not in (200, 404) and verify_base_request(url, "POST") != r.status_code:
+ print(r.status_code, url, {parameter: value})
return True
except Exception as e:
cprint(f"EXCEPTION: {e}")
@@ -171,6 +172,7 @@ def test_url_cve_2022_22965(url):
params={parameter: value},
proxies=proxies)
if r.status_code not in (200, 404) and verify_base_request(url, "GET") != r.status_code:
+ print(r.status_code, url)
return True
except Exception as e:
cprint(f"EXCEPTION: {e}")

Now we can see what is claimed vulnerable:

Run this payload in curl:

> curl -i -XPOST https://www.example.com/ -d "{'class.module.classLoader[2akirzr]': '2akirzr'}"
HTTP/2 403
server: Varnish
retry-after: 0
accept-ranges: bytes
date: Fri, 22 Apr 2022 13:49:45 GMT
content-length: 0