[Nikto-discuss] db_404_strings processing
Sullo
csullo at gmail.com
Mon Nov 19 12:06:54 CST 2012
Is it actually vulnerable or escaped or ... ? The solution depends on the
actual way this is done, safely or not!
On Mon, Nov 19, 2012 at 1:05 PM, Geoff Galitz <geoff at galitz.org> wrote:
>
>
> Ah ha... indeed the string is being echoed in the 404 doc. What's the
> best way to deal with that?
>
> -G
>
>
>
> > is the attack string echoed in the 404 page anywhere? those should match
> > on
> > the content with a regex, and only trigger if that raw string is found.
> >
> > On Mon, Nov 19, 2012 at 12:51 PM, Geoff Galitz <geoff at galitz.org> wrote:
> >
> >>
> >> If I use curl -v to inspect it, it shows as a 404, though we return a
> >> pretty big page with that.
> >>
> >> It seems like all of these false positives are XSS related. When I
> >> issue
> >> that URL manually (in a web browser or via curl) I get the expected
> >> custom
> >> 404 page.
> >>
> >> Among the vast volume of output from nikto are lines like this:
> >>
> >> + OSVDB-651:
> >>
> /cgi-local/cgiemail-1.6/cgicso?query=<script>alert('Vulnerable')</script>:
> >> This CGI is vulnerable to Cross Site Scripting (XSS).
> >> http://www.cert.org/advisories/CA-2000-02.html.
> >> + OSVDB-651:
> >>
> /cgi-local/cgiemail-1.4/cgicso?query=<script>alert('Vulnerable')</script>:
> >> This CGI is vulnerable to Cross Site Scripting (XSS).
> >> http://www.cert.org/advisories/CA-2000-02.html.
> >> + OSVDB-7022:
> >>
> >>
> /calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05:
> >> DCP-Portal v5.3.1 is vulnerable to Cross Site Scripting (XSS).
> >> http://www.cert.org/advisories/CA-2000-02.html.
> >>
> >> It could be that my theory on why this is happening is just plain wrong.
> >>
> >> -G
> >>
> >>
> >> > That should work. what is the response code you're sending for 404s,
> >> is
> >> it
> >> > 200 or something else?
> >> >
> >> > Also, you can put them in udb_404_strings so an update won't step on
> >> your
> >> > own changes.
> >> >
> >> > -Sullo
> >> >
> >> > On Mon, Nov 19, 2012 at 12:06 PM, Geoff Galitz <geoff at galitz.org>
> >> wrote:
> >> >
> >> >>
> >> >>
> >> >> Hi all.
> >> >>
> >> >> I am getting what seem to be false positives. I suspect nikto is not
> >> >> recognizing the custom 404s we send out. I've added some of the text
> >> >> and
> >> >> some of the unique code of our 404 to db_404_strings but it does not
> >> >> seem
> >> >> to help.
> >> >>
> >> >> I am wondering if I need to do anything special after simply adding
> >> some
> >> >> text to that file? Currently I have this: <div
> >> id="not-found-content"
> >> >> style="bottom: 98px;">
> >> >>
> >> >> Would special punctuation cause a problem?
> >> >>
> >> >> -G
> >> >>
> >> >>
> >> >>
> >> >> ------------------------------
> >> >> Geoff Galitz
> >> >> http://www.galitz.org
> >> >>
> >> >> _______________________________________________
> >> >> Nikto-discuss mailing list
> >> >> Nikto-discuss at attrition.org
> >> >> https://attrition.org/mailman/listinfo/nikto-discuss
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> >
> >> > http://www.cirt.net | http://richsec.com/
> >> >
> >>
> >>
> >> ------------------------------
> >> Geoff Galitz
> >> http://www.galitz.org
> >>
> >>
> >
> >
> > --
> >
> > http://www.cirt.net | http://richsec.com/
> >
>
>
> ------------------------------
> Geoff Galitz
> http://www.galitz.org
>
>
--
http://www.cirt.net | http://richsec.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20121119/991752a8/attachment.html>
More information about the Nikto-discuss
mailing list