[Nikto-discuss] problem with POST testing XSS

Sullo csullo at gmail.com
Fri Dec 3 12:11:31 CST 2010


You are sending the data in the query string--is that what you want, or
should it be the post data portion? If so, this should be the line:

"400004","0","4","/mysearch/mySearchResults.jsp","POST","alert(4567890)","","","","","Form
Submission XSS vulnerability exists","_ARGS=/

mysearch/gadgets/mySearch.jsp.searchform
_dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform",""


On Fri, Dec 3, 2010 at 12:14 PM, Andre, Lionel <landre at atg.com> wrote:

>
>
> I have a weird issue with testing the submission of a form using POST.
>
>
>
> Using live HTTP headers extension in FF I grabbed the whole form
> submission.  Using the replay function in FF it works fine, however using
> nikto in debug mode I get the following info.  (sanitized a few things)
>
>
>
> Any ideas are welcome.  The form itself has a lot of hidden fields in it
> and I am trying to figure out which ones are absolutely required.
>
>
>
> Thanks!
>
> The contents of the udb_test line:
>
>
>
> "400004","0","4","/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform
> _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","POST","alert(4567890)","","","","","Form
> Submission XSS vulnerability exists","",""
>
>
>
>
>
> THE REQUEST:
>
>
>
> D:Thu Dec  2 14:48:29 2010 'Request Hash' = {
>
>                 'whisker' => {
>
>                                 'protocol' => 'HTTP',
>
>                                 'require_newline_after_headers' => 0,
>
>                                 'lowercase_incoming_headers' => 1,
>
>                                 'uri_prefix' => '',
>
>                                 'ssl_save_info' => 1,
>
>                                 'http_space2' => ' ',
>
>                                 'uri_param_sep' => '?',
>
>                                 'timeout' => 10,
>
>                                 'http_space1' => ' ',
>
>                                 'method' => 'POST',
>
>                                 'force_open' => 0,
>
>                                 'include_host_in_uri' => 0,
>
>                                 'ignore_duplicate_headers' => 1,
>
>                                 'uri_postfix' => '',
>
>                                 'keep-alive' => 1,
>
>                                 'ssl' => 0,
>
>                                 'version' => '1.1',
>
>                                 'data' => '',
>
>                                 'port' => 80,
>
>                                 'uri' =>
> '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform
> _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform',
>
>                                 'host' => '127.0.0.1',
>
>                                 'retry' => 0,
>
>                                 'normalize_incoming_headers' => 1,
>
>                                 'invalid_protocol_return_value' => 1,
>
>                                 'force_bodysnatch' => 0,
>
>                                 'MAGIC' => 31339,
>
>                                 'max_size' => 0,
>
>                                 'trailing_slurp' => 0,
>
>                                 'force_close' => 0,
>
>                                 'http_eol' => "\r\n"
>
>                 },
>
>                 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None)
> (Test:400004)',
>
>                 'Connection' => 'Keep-Alive',
>
>                 'Content-Length' => 0,
>
>                 'Content-Type' => 'application/x-www-form-urlencoded',
>
>                 'Host' => '127.0.0.1'
>
> };
>
>
>
>
>
>
>
> RESPONSE:
>
>
>
>
>
>
>
> D:Thu Dec  2 14:48:29 2010 'Result Hash' = {
>
>                 'connection' => 'close',
>
>                 'whisker' => {
>
>                                 'protocol' => 'HTTP',
>
>                                 'lowercase_incoming_headers' => 1,
>
>                                 'http_space2' => ' ',
>
>                                 'stats_reqs' => 21,
>
>                                 'http_space1' => ' ',
>
>                                 'code' => 400,
>
>                                 'stats_syns' => 6,
>
>                                 'version' => '1.1',
>
>                                 'abnormal_header_spacing' => 1,
>
>                                 'data' => '<html><body><b>Http/1.1 Bad
> Request</b></body> </html>',
>
>                                 'uri' =>
> '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform
> _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform',
>
>                                 'message' => 'Bad Request',
>
>                                 'header_order' => [
>
>                                                 'content-length',
>
>                                                 'connection'
>
>                                 ],
>
>                                 'http_data_sent' => 1,
>
>                                 'MAGIC' => 31340,
>
>                                 'http_eol' => "\r\n",
>
>                                 'socket_state' => 0
>
>                 },
>
>                 'content-length' => 54
>
> };
>
>
>
>
>
>
>
> _______________________________________________
> Nikto-discuss mailing list
> Nikto-discuss at attrition.org
> https://attrition.org/mailman/listinfo/nikto-discuss
>
>


-- 

http://www.cirt.net     |      http://www.osvdb.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20101203/470b3e01/attachment-0001.html>


More information about the Nikto-discuss mailing list