[Nikto-discuss] False positive or not?

Frank Breedijk FBreedijk at schubergphilis.com
Thu Feb 7 08:24:37 CST 2013


Recently we got some results from Nikto which we regard as false positives.

>telnet xxx.xxx.xxx.xxx 80
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx
Escape character is '^]'.
GET /phpimageview.php?pic=javascript:alert('Vulnerable') HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxxx

HTTP/1.1 301 Moved Permanently
Set-Cookie: ARPT=PZUZILSpws1CKIOL; path=/
Date: Thu, 07 Feb 2013 14:19:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: https://xxxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable')
Content-Length: 297
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1><p>The document has moved <a href="https://xxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable')">here</a>.</p>
</body></html>Connection closed by foreign host.

I understand my the rule triggers, the URL is echoed back apparently unescaped. However the double quotes neutralize the XSS and if you insert a " in the URL the webserver actually returns a 400 Bad Request.

Kind regards,
Frank Breedijk


Schuberg Philis
Boeing Avenue 271
1119 PD Schiphol-Rijk
schubergphilis.com

+31 20 750 65 38
+31 6 4382 2637
_____________________
[Description: http://widget.sbpad6.nl/alpe_email.pl?nick=frank]<http://frank.sbpad6.nl/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20130207/1d9864df/attachment-0001.html>


More information about the Nikto-discuss mailing list