[Nikto-discuss] db_404_strings processing

Geoff Galitz geoff at galitz.org
Mon Nov 19 12:05:32 CST 2012 


Ah ha...  indeed the string is being echoed in the 404 doc.  What's the
best way to deal with that?

-G



> is the attack string echoed in the 404 page anywhere? those should match
> on
> the content with a regex, and only trigger if that raw string is found.
>
> On Mon, Nov 19, 2012 at 12:51 PM, Geoff Galitz <geoff at galitz.org> wrote:
>
>>
>> If I use curl -v to inspect it, it shows as a 404, though we return a
>> pretty big page with that.
>>
>> It seems like all of these false positives are XSS related.  When I
>> issue
>> that URL manually (in a web browser or via curl) I get the expected
>> custom
>> 404 page.
>>
>> Among the vast volume of output from nikto are lines like this:
>>
>> + OSVDB-651:
>> /cgi-local/cgiemail-1.6/cgicso?query=<script>alert('Vulnerable')</script>:
>> This CGI is vulnerable to Cross Site Scripting (XSS).
>> http://www.cert.org/advisories/CA-2000-02.html.
>> + OSVDB-651:
>> /cgi-local/cgiemail-1.4/cgicso?query=<script>alert('Vulnerable')</script>:
>> This CGI is vulnerable to Cross Site Scripting (XSS).
>> http://www.cert.org/advisories/CA-2000-02.html.
>> + OSVDB-7022:
>>
>> /calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05:
>> DCP-Portal v5.3.1 is vulnerable to  Cross Site Scripting (XSS).
>> http://www.cert.org/advisories/CA-2000-02.html.
>>
>> It could be that my theory on why this is happening is just plain wrong.
>>
>> -G
>>
>>
>> > That should work. what is the response code you're sending for 404s,
>> is
>> it
>> > 200 or something else?
>> >
>> > Also, you can put them in udb_404_strings so an update won't step on
>> your
>> > own changes.
>> >
>> > -Sullo
>> >
>> > On Mon, Nov 19, 2012 at 12:06 PM, Geoff Galitz <geoff at galitz.org>
>> wrote:
>> >
>> >>
>> >>
>> >> Hi all.
>> >>
>> >> I am getting what seem to be false positives.  I suspect nikto is not
>> >> recognizing the custom 404s we send out.  I've added some of the text
>> >> and
>> >> some of the unique code of our 404 to db_404_strings but it does not
>> >> seem
>> >> to help.
>> >>
>> >> I am wondering if I need to do anything special after simply adding
>> some
>> >> text to that file?  Currently I have this:  <div
>> id="not-found-content"
>> >> style="bottom: 98px;">
>> >>
>> >> Would special punctuation cause a problem?
>> >>
>> >> -G
>> >>
>> >>
>> >>
>> >> ------------------------------
>> >> Geoff Galitz
>> >> http://www.galitz.org
>> >>
>> >> _______________________________________________
>> >> Nikto-discuss mailing list
>> >> Nikto-discuss at attrition.org
>> >> https://attrition.org/mailman/listinfo/nikto-discuss
>> >>
>> >
>> >
>> >
>> > --
>> >
>> > http://www.cirt.net     |      http://richsec.com/
>> >
>>
>>
>> ------------------------------
>> Geoff Galitz
>> http://www.galitz.org
>>
>>
>
>
> --
>
> http://www.cirt.net     |      http://richsec.com/
>


------------------------------
Geoff Galitz
http://www.galitz.org

More information about the Nikto-discuss mailing list