Re: [Plugins-writers] redirects and http plugins

From: Michel Arboi (mikhail@private)
Date: Sun Sep 12 2004 - 01:36:08 PDT


On Sat Sep 11 2004 at 23:37, Michael Scheidell wrote:

> as an example, ALL of the XSS plugins will false positive if a web
> site does a blanker redirect (301 or 302) since the 'script' it is
> looking for will be in the Location header. 

Is cross_site_scripting.nasl supposed to detect it? 

> A) FOLLOW THE REDIRECT and 'attack' the site that its redirecting to
> (BAD FORM!  might redirect to www.fbi.gov!) 

Definitely not if you are not redirected to the same host. You are
auditing host A, not host B where you are redirected.

Testing if B = A implies that we need a "same_host" function that will
be able to resolve names and compare IP address sets.

> B) do something similar to 'no404.html' (ie "yes30x.html"? and report it?

cross_site_scripting.nasl is supposed to do something like this
already.
When it fails, for whatever reason, you get FP on every XSS
script. This happened to me last week.

> C) edit the http_keepalive.inc to consider a 301 and 302 as a 404?

I don't like the idea.

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Sun Sep 12 2004 - 01:36:27 PDT