[Nikto-discuss] problem with POST testing XSS
Andre, Lionel
landre at atg.com
Fri Dec 3 13:03:25 CST 2010
Sullo.
Thank you!
"HTTP data to be sent during POST tests" in the Fine Manual should have given me a hint ... :)
It worked like a charm!
From: Sullo [mailto:csullo at gmail.com]
Sent: Friday, December 03, 2010 1:12 PM
To: Andre, Lionel
Cc: nikto-discuss at attrition.org
Subject: Re: [Nikto-discuss] problem with POST testing XSS
You are sending the data in the query string--is that what you want, or should it be the post data portion? If so, this should be the line:
"400004","0","4","/mysearch/mySearchResults.jsp","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","_ARGS=/
mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform",""
On Fri, Dec 3, 2010 at 12:14 PM, Andre, Lionel <landre at atg.com<mailto:landre at atg.com>> wrote:
I have a weird issue with testing the submission of a form using POST.
Using live HTTP headers extension in FF I grabbed the whole form submission. Using the replay function in FF it works fine, however using nikto in debug mode I get the following info. (sanitized a few things)
Any ideas are welcome. The form itself has a lot of hidden fields in it and I am trying to figure out which ones are absolutely required.
Thanks!
The contents of the udb_test line:
"400004","0","4","/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","",""
THE REQUEST:
D:Thu Dec 2 14:48:29 2010 'Request Hash' = {
'whisker' => {
'protocol' => 'HTTP',
'require_newline_after_headers' => 0,
'lowercase_incoming_headers' => 1,
'uri_prefix' => '',
'ssl_save_info' => 1,
'http_space2' => ' ',
'uri_param_sep' => '?',
'timeout' => 10,
'http_space1' => ' ',
'method' => 'POST',
'force_open' => 0,
'include_host_in_uri' => 0,
'ignore_duplicate_headers' => 1,
'uri_postfix' => '',
'keep-alive' => 1,
'ssl' => 0,
'version' => '1.1',
'data' => '',
'port' => 80,
'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform',
'host' => '127.0.0.1',
'retry' => 0,
'normalize_incoming_headers' => 1,
'invalid_protocol_return_value' => 1,
'force_bodysnatch' => 0,
'MAGIC' => 31339,
'max_size' => 0,
'trailing_slurp' => 0,
'force_close' => 0,
'http_eol' => "\r\n"
},
'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:400004)',
'Connection' => 'Keep-Alive',
'Content-Length' => 0,
'Content-Type' => 'application/x-www-form-urlencoded',
'Host' => '127.0.0.1'
};
RESPONSE:
D:Thu Dec 2 14:48:29 2010 'Result Hash' = {
'connection' => 'close',
'whisker' => {
'protocol' => 'HTTP',
'lowercase_incoming_headers' => 1,
'http_space2' => ' ',
'stats_reqs' => 21,
'http_space1' => ' ',
'code' => 400,
'stats_syns' => 6,
'version' => '1.1',
'abnormal_header_spacing' => 1,
'data' => '<html><body><b>Http/1.1 Bad Request</b></body> </html>',
'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform',
'message' => 'Bad Request',
'header_order' => [
'content-length',
'connection'
],
'http_data_sent' => 1,
'MAGIC' => 31340,
'http_eol' => "\r\n",
'socket_state' => 0
},
'content-length' => 54
};
_______________________________________________
Nikto-discuss mailing list
Nikto-discuss at attrition.org<mailto:Nikto-discuss at attrition.org>
https://attrition.org/mailman/listinfo/nikto-discuss
--
http://www.cirt.net | http://www.osvdb.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20101203/8d107053/attachment-0001.html>
More information about the Nikto-discuss
mailing list