[Nikto-discuss] Newbie needs help

[David Lodge]

On Thu, 17 Sep 2009 15:47:12 +0100, Tony Wasson <tony.wasson at trin.net>  
wrote:

> I'm a newbie to nikto, have ran several scans and the output has items  
> like the ones below,
> URI
>
> /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22

What Nikto does with these vulnerabilities and many others is to attempt  
to inject javascript into the page. Then it looks at the resultant page to  
see whether the javascript is in there.

On a normal web server this is great at finding vulnerabilities,  
unfortunately some servers customise their 404 (page not found) pages, or  
even sometimes don't produce a 404. Though Nikto does in this case is  
attempt to see whether it is a standard page or not. Unfortunately this  
doesn't always work, so, if you get a lot of similar requests they may be  
false positives.

The thing to do is, like with any automated vulnerability scanner, is to  
perform a quick manual check and see what happens when you use that URL.  
There may be an underlying vulnerability with the 404 page that allows  
XSS: I found one on a recent test where they had a redirect page for every  
URI, which put up a http-redirect and an href based on the path given (to  
redirect to the HTTPS version of the site). This meant that you could  
perform an XSS attack by just doing:
http://host/"><script>alert("This is vulnerable");</script>

If it turns out that the apps presented are not present, it could be that  
you have a redirection page, like above installed. I would check this out  
manually. If you wish I can take a look at it, I may even be able to tune  
Nikto to cope with it in future (obviously redacting privilege  
information).

Thanks

dave