[Nikto-discuss] False positive or not?
a
resident.deity at gmail.com
Fri Feb 8 08:36:02 CST 2013
I've just added a new parameter to the tests plugin so that you can run a
range of tids, the format is:
-Plugins tests(tids:1-5 6 9-10)
A - will specify a range, a space will separate groups of ranges (we can't
use a comma as that's a parameter separator). It's not the most perfect
expansion routine but it works for now.
So if you clone the latest from the git repo, you can run the command:
nikto.pl -host vulnerable -D dvs -Tuning z -Plugins tests(tids:818) -no404
On 7 February 2013 16:10, a <resident.deity at gmail.com> wrote:
> Just thought: you can minimise output by just switching on stuff like
> verbose and debug only for the tests plugin, using:
>
> nikto.pl -host vulnerable -D s -Tuning z -Plugins tests
> -no404(debug,verbose)
>
>
> On 7 February 2013 15:46, a <resident.deity at gmail.com> wrote:
>
>> This looks like its a false positive off test 818; which is testing for a
>> XSS in the pic parameter of phpimageview.php.
>> There should be an exception case to catch this.
>>
>> Is there any chance you could do a test with -D dvs on this. To cut down
>> the size of the debug file, you can edit db_tests and alter the 3rd column
>> of test 818 and put in a "z", then run Nikto like:
>>
>> nikto.pl -host vulnerable -D dvs -Tuning z -Plugins tests -no404
>>
>> One of these days I'll put in a way of doing this easily, probably
>> something like "-Plugins tests(tids:818)", suggestions would be appreciated.
>>
>>
>> On 7 February 2013 14:24, Frank Breedijk <FBreedijk at schubergphilis.com>wrote:
>>
>>> Recently we got some results from Nikto which we regard as false
>>> positives.****
>>>
>>> ** **
>>>
>>> >telnet xxx.xxx.xxx.xxx 80****
>>>
>>> Trying xxx.xxx.xxx.xxx...****
>>>
>>> Connected to xxx.xxx.xxx.xxx ****
>>>
>>> Escape character is '^]'.****
>>>
>>> GET /phpimageview.php?pic=javascript:alert('Vulnerable') HTTP/1.1****
>>>
>>> Host: xxxxxxxxxxxxxxxxxxxx****
>>>
>>> ** **
>>>
>>> HTTP/1.1 301 Moved Permanently****
>>>
>>> Set-Cookie: ARPT=PZUZILSpws1CKIOL; path=/****
>>>
>>> Date: Thu, 07 Feb 2013 14:19:39 GMT****
>>>
>>> Server: Microsoft-IIS/6.0****
>>>
>>> X-Powered-By: ASP.NET****
>>>
>>> Location:
>>> https://xxxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable
>>> ')****
>>>
>>> Content-Length: 297****
>>>
>>> Content-type: text/html****
>>>
>>> ** **
>>>
>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">****
>>>
>>> <html><head>****
>>>
>>> <title>301 Moved Permanently</title>****
>>>
>>> </head><body>****
>>>
>>> <h1>Moved Permanently</h1><p>The document has moved <a href="
>>> https://xxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable')
>>> ">here</a>.</p>****
>>>
>>> </body></html>Connection closed by foreign host.****
>>>
>>> ** **
>>>
>>> I understand my the rule triggers, the URL is echoed back apparently
>>> unescaped. However the double quotes neutralize the XSS and if you insert a
>>> “ in the URL the webserver actually returns a 400 Bad Request.****
>>>
>>> ** **
>>>
>>> Kind regards,
>>> Frank Breedijk
>>>
>>>
>>> Schuberg Philis
>>> Boeing Avenue 271
>>> 1119 PD Schiphol-Rijk
>>> schubergphilis.com
>>>
>>> +31 20 750 65 38
>>> +31 6 4382 2637
>>> _____________________ ****
>>>
>>> [image: Description: http://widget.sbpad6.nl/alpe_email.pl?nick=frank]<http://frank.sbpad6.nl/>
>>> ****
>>>
>>> ** **
>>>
>>> _______________________________________________
>>> Nikto-discuss mailing list
>>> Nikto-discuss at attrition.org
>>> https://attrition.org/mailman/listinfo/nikto-discuss
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20130208/ee7be734/attachment.html>
More information about the Nikto-discuss
mailing list