[Nikto-discuss] False positive or not?
a
resident.deity at gmail.com
Thu Feb 7 10:10:40 CST 2013
Just thought: you can minimise output by just switching on stuff like
verbose and debug only for the tests plugin, using:
nikto.pl -host vulnerable -D s -Tuning z -Plugins tests
-no404(debug,verbose)
On 7 February 2013 15:46, a <resident.deity at gmail.com> wrote:
> This looks like its a false positive off test 818; which is testing for a
> XSS in the pic parameter of phpimageview.php.
> There should be an exception case to catch this.
>
> Is there any chance you could do a test with -D dvs on this. To cut down
> the size of the debug file, you can edit db_tests and alter the 3rd column
> of test 818 and put in a "z", then run Nikto like:
>
> nikto.pl -host vulnerable -D dvs -Tuning z -Plugins tests -no404
>
> One of these days I'll put in a way of doing this easily, probably
> something like "-Plugins tests(tids:818)", suggestions would be appreciated.
>
>
> On 7 February 2013 14:24, Frank Breedijk <FBreedijk at schubergphilis.com>wrote:
>
>> Recently we got some results from Nikto which we regard as false
>> positives.****
>>
>> ** **
>>
>> >telnet xxx.xxx.xxx.xxx 80****
>>
>> Trying xxx.xxx.xxx.xxx...****
>>
>> Connected to xxx.xxx.xxx.xxx ****
>>
>> Escape character is '^]'.****
>>
>> GET /phpimageview.php?pic=javascript:alert('Vulnerable') HTTP/1.1****
>>
>> Host: xxxxxxxxxxxxxxxxxxxx****
>>
>> ** **
>>
>> HTTP/1.1 301 Moved Permanently****
>>
>> Set-Cookie: ARPT=PZUZILSpws1CKIOL; path=/****
>>
>> Date: Thu, 07 Feb 2013 14:19:39 GMT****
>>
>> Server: Microsoft-IIS/6.0****
>>
>> X-Powered-By: ASP.NET****
>>
>> Location:
>> https://xxxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable
>> ')****
>>
>> Content-Length: 297****
>>
>> Content-type: text/html****
>>
>> ** **
>>
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">****
>>
>> <html><head>****
>>
>> <title>301 Moved Permanently</title>****
>>
>> </head><body>****
>>
>> <h1>Moved Permanently</h1><p>The document has moved <a href="
>> https://xxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable')
>> ">here</a>.</p>****
>>
>> </body></html>Connection closed by foreign host.****
>>
>> ** **
>>
>> I understand my the rule triggers, the URL is echoed back apparently
>> unescaped. However the double quotes neutralize the XSS and if you insert a
>> “ in the URL the webserver actually returns a 400 Bad Request.****
>>
>> ** **
>>
>> Kind regards,
>> Frank Breedijk
>>
>>
>> Schuberg Philis
>> Boeing Avenue 271
>> 1119 PD Schiphol-Rijk
>> schubergphilis.com
>>
>> +31 20 750 65 38
>> +31 6 4382 2637
>> _____________________ ****
>>
>> [image: Description: http://widget.sbpad6.nl/alpe_email.pl?nick=frank]<http://frank.sbpad6.nl/>
>> ****
>>
>> ** **
>>
>> _______________________________________________
>> Nikto-discuss mailing list
>> Nikto-discuss at attrition.org
>> https://attrition.org/mailman/listinfo/nikto-discuss
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20130207/90f11dff/attachment-0001.html>
More information about the Nikto-discuss
mailing list