[Nikto-discuss] db_404_strings processing

Sullo csullo at gmail.com
Mon Nov 19 11:54:49 CST 2012


is the attack string echoed in the 404 page anywhere? those should match on
the content with a regex, and only trigger if that raw string is found.

On Mon, Nov 19, 2012 at 12:51 PM, Geoff Galitz <geoff at galitz.org> wrote:

>
> If I use curl -v to inspect it, it shows as a 404, though we return a
> pretty big page with that.
>
> It seems like all of these false positives are XSS related.  When I issue
> that URL manually (in a web browser or via curl) I get the expected custom
> 404 page.
>
> Among the vast volume of output from nikto are lines like this:
>
> + OSVDB-651:
> /cgi-local/cgiemail-1.6/cgicso?query=<script>alert('Vulnerable')</script>:
> This CGI is vulnerable to Cross Site Scripting (XSS).
> http://www.cert.org/advisories/CA-2000-02.html.
> + OSVDB-651:
> /cgi-local/cgiemail-1.4/cgicso?query=<script>alert('Vulnerable')</script>:
> This CGI is vulnerable to Cross Site Scripting (XSS).
> http://www.cert.org/advisories/CA-2000-02.html.
> + OSVDB-7022:
>
> /calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05:
> DCP-Portal v5.3.1 is vulnerable to  Cross Site Scripting (XSS).
> http://www.cert.org/advisories/CA-2000-02.html.
>
> It could be that my theory on why this is happening is just plain wrong.
>
> -G
>
>
> > That should work. what is the response code you're sending for 404s, is
> it
> > 200 or something else?
> >
> > Also, you can put them in udb_404_strings so an update won't step on your
> > own changes.
> >
> > -Sullo
> >
> > On Mon, Nov 19, 2012 at 12:06 PM, Geoff Galitz <geoff at galitz.org> wrote:
> >
> >>
> >>
> >> Hi all.
> >>
> >> I am getting what seem to be false positives.  I suspect nikto is not
> >> recognizing the custom 404s we send out.  I've added some of the text
> >> and
> >> some of the unique code of our 404 to db_404_strings but it does not
> >> seem
> >> to help.
> >>
> >> I am wondering if I need to do anything special after simply adding some
> >> text to that file?  Currently I have this:  <div id="not-found-content"
> >> style="bottom: 98px;">
> >>
> >> Would special punctuation cause a problem?
> >>
> >> -G
> >>
> >>
> >>
> >> ------------------------------
> >> Geoff Galitz
> >> http://www.galitz.org
> >>
> >> _______________________________________________
> >> Nikto-discuss mailing list
> >> Nikto-discuss at attrition.org
> >> https://attrition.org/mailman/listinfo/nikto-discuss
> >>
> >
> >
> >
> > --
> >
> > http://www.cirt.net     |      http://richsec.com/
> >
>
>
> ------------------------------
> Geoff Galitz
> http://www.galitz.org
>
>


-- 

http://www.cirt.net     |      http://richsec.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20121119/b8c2c4ce/attachment-0001.html>


More information about the Nikto-discuss mailing list