I think that cross_site_scripting.nasl will report a security hole when the webserver returns the requested, non-sanitized file name in the http status field. However, the web browsers I tested don't treat the http status field as HTML.
Attached is an updated copy of the css nasl.
Here's an example of a session that nessus will false positive on:
[root@nsd2 plugins]# telnet 10.0.0.211 80
Trying 10.0.0.211...
Connected to 10.0.0.211.
Escape character is '^]'.
GET /<SCRIPT>alert('Vulnerable')</SCRIPT> HTTP/1.1
HTTP/1.1 404 /<SCRIPT>alert('Vulnerable')</SCRIPT>
Content-Type: text/html
Date: Fri, 01 Mar 2002 21:34:28 GMT
Server: Apache Tomcat/4.0.1 (HTTP/1.1 Connector)
Connection: close
<html><head><title>Apache Tomcat/4.0.1 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;color : black;background-color : white;} B{color : white;background-color : #0086b2;} HR{color : #0086b2;} --></STYLE> </head><body><h1>Apache Tomcat/4.0.1 - HTTP Status 404 - /<SCRIPT>alert('Vulnerable')</SCRIPT></h1><HR size="1" noshade><p><b>type</b> Status report</p><p><b>message</b> <u>/<SCRIPT>alert('Vulnerable')</SCRIPT></u></p><p><b>description</b> <u>The requested resource (/<SCRIPT>alert('Vulnerable')</SCRIPT>) is not available.</u></p><HR size="1" noshade></body></html>Connection closed by foreign host.
--
^Drew
http://guh.nu
--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518 5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--
This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 16:29:24 PST