Allaire JRUN Cross Site Scripting Check

From: sq (sqat_private)
Date: Tue Nov 13 2001 - 14:39:41 PST

  • Next message: Felix Huber: "Re: Allaire JRUN Cross Site Scripting Check"

    Attached is a quick hack up SecuriTeam's 40x Cross Site Scripting NASL (without their permission, I hope they're okay with that for a NASL-newbie). This one specifically checks for the Allaire JRUN CSS problem (the scripts require a .jsp, .shtml or .thtml extension tacked on to the end of the request).
    
    It is working in my tests, but I'm wondering if there's a better way to handle the three requests (.jsp, .shtml and .thtml) in some sort of loop (or even just adding it easily to the original SecuriTeam NASL)?  In my testing I found that one may work and one may not (I assume it depends on the config options of JRUN, but I don't have access to admin the systems), so all three should be tested to be sure.  
    
    Also, if someone has a 2.3.x JRUN installation to test against...
    
    Comments/help appreciated.
    
    Thanks
    Chris
    
    
    
    



    This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 14:40:03 PST