[Nikto-discuss] problem with POST testing XSS

Andre, Lionel landre at atg.com
Fri Dec 3 13:03:25 CST 2010


Sullo.

Thank you!

"HTTP data to be sent during POST tests" in the Fine Manual should have given me a hint ... :)


It worked like a charm!

From: Sullo [mailto:csullo at gmail.com]
Sent: Friday, December 03, 2010 1:12 PM
To: Andre, Lionel
Cc: nikto-discuss at attrition.org
Subject: Re: [Nikto-discuss] problem with POST testing XSS

You are sending the data in the query string--is that what you want, or should it be the post data portion? If so, this should be the line:
"400004","0","4","/mysearch/mySearchResults.jsp","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","_ARGS=/
mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform",""

On Fri, Dec 3, 2010 at 12:14 PM, Andre, Lionel <landre at atg.com<mailto:landre at atg.com>> wrote:

I have a weird issue with testing the submission of a form using POST.

Using live HTTP headers extension in FF I grabbed the whole form submission.  Using the replay function in FF it works fine, however using nikto in debug mode I get the following info.  (sanitized a few things)

Any ideas are welcome.  The form itself has a lot of hidden fields in it and I am trying to figure out which ones are absolutely required.

Thanks!
The contents of the udb_test line:

"400004","0","4","/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","",""


THE REQUEST:

D:Thu Dec  2 14:48:29 2010 'Request Hash' = {
                'whisker' => {
                                'protocol' => 'HTTP',
                                'require_newline_after_headers' => 0,
                                'lowercase_incoming_headers' => 1,
                                'uri_prefix' => '',
                                'ssl_save_info' => 1,
                                'http_space2' => ' ',
                                'uri_param_sep' => '?',
                                'timeout' => 10,
                                'http_space1' => ' ',
                                'method' => 'POST',
                                'force_open' => 0,
                                'include_host_in_uri' => 0,
                                'ignore_duplicate_headers' => 1,
                                'uri_postfix' => '',
                                'keep-alive' => 1,
                                'ssl' => 0,
                                'version' => '1.1',
                                'data' => '',
                                'port' => 80,
                                'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform',
                                'host' => '127.0.0.1',
                                'retry' => 0,
                                'normalize_incoming_headers' => 1,
                                'invalid_protocol_return_value' => 1,
                                'force_bodysnatch' => 0,
                                'MAGIC' => 31339,
                                'max_size' => 0,
                                'trailing_slurp' => 0,
                                'force_close' => 0,
                                'http_eol' => "\r\n"
                },
                'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:400004)',
                'Connection' => 'Keep-Alive',
                'Content-Length' => 0,
                'Content-Type' => 'application/x-www-form-urlencoded',
                'Host' => '127.0.0.1'
};



RESPONSE:



D:Thu Dec  2 14:48:29 2010 'Result Hash' = {
                'connection' => 'close',
                'whisker' => {
                                'protocol' => 'HTTP',
                                'lowercase_incoming_headers' => 1,
                                'http_space2' => ' ',
                                'stats_reqs' => 21,
                                'http_space1' => ' ',
                                'code' => 400,
                                'stats_syns' => 6,
                                'version' => '1.1',
                                'abnormal_header_spacing' => 1,
                                'data' => '<html><body><b>Http/1.1 Bad Request</b></body> </html>',
                                'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform',
                                'message' => 'Bad Request',
                                'header_order' => [
                                                'content-length',
                                                'connection'
                                ],
                                'http_data_sent' => 1,
                                'MAGIC' => 31340,
                                'http_eol' => "\r\n",
                                'socket_state' => 0
                },
                'content-length' => 54
};




_______________________________________________
Nikto-discuss mailing list
Nikto-discuss at attrition.org<mailto:Nikto-discuss at attrition.org>
https://attrition.org/mailman/listinfo/nikto-discuss



--

http://www.cirt.net     |      http://www.osvdb.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20101203/8d107053/attachment-0001.html>


More information about the Nikto-discuss mailing list