how should redirects be handled in http* plugins? as an example, ALL of the XSS plugins will false positive if a web site does a blanker redirect (301 or 302) since the 'script' it is looking for will be in the Location header. should nessus (nasl): A) FOLLOW THE REDIRECT and 'attack' the site that its redirecting to (BAD FORM! might redirect to www.fbi.gov!) B) do something similar to 'no404.html' (ie "yes30x.html"? and report it? C) edit the http_keepalive.inc to consider a 301 and 302 as a 404? ( have a private site that you can try postnuke_reviews_xss.nasl on which I can send in email) -- Michael Scheidell SECNAP Network Security 561-999-5000 x 1131 www.secnap.com _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Sat Sep 11 2004 - 14:55:05 PDT