RE: [Plugins-writers] redirects and http plugins

• Previous message: Michel Arboi: "[Nessus-devel] New C functions for Nessus 2.2?"
• Maybe in reply to: Michael Scheidell: "[Plugins-writers] redirects and http plugins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

still get way too many FP's on XSS scripts.

still think we need a 'yes30x'.nasl that all of these call.

this after cvsup of plugins just now:
(yes, the darn thing puts the 302 in the banner, NOT the headers where
it belongs)

I have seen LOTS of them do this.


nasl -t 10.0.4.244 cutenews_indexphp_xss.nasl
[48703] plug_set_key:send(0)['1 Services/www/80/working=1;
'](0 out of 29): Socket operation on non-socket
[48703] plug_set_key:send(0)['1 www/banner/80=HTTP/1.1 302
Redirect\r\nServer: GoAhead-Webs\r\nDate: THU JAN 01 00:01:52
1970\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type:
text/html\r\nLocation: http://10.0.4.244/index.html\r\n;
'](0 out of 217): Socket operation on non-socket
[48703] plug_set_key:send(0)['1 www/80/keepalive=no;
'](0 out of 23): Socket operation on non-socket
Success


-----Original Message-----
From: Paul Johnston [mailto:paul@private]
Sent: Monday, September 13, 2004 5:00 AM
To: Michael Scheidell
Cc: Nessus Plugins Writers (E-mail)
Subject: Re: [Plugins-writers] redirects and http plugins


Hi Michael,

The XSS plugins should not false positive in that situation. I submitted

a patch that adds a "bodyonly" parameter to http_keepalive_recv_body, 
and all XSS plugins should set this to 1.

Regarding what should happen with redirects; I think they're just like 
external links and should be handled by webmirror.nasl. i.e. if the link

is on the same domainname it is examined, if it is external it is
ignored.

Regards,

Paul



Michael Scheidell wrote:

>how should redirects be handled in http* plugins?
>
>as an example, ALL of the XSS plugins will false positive if a web site
does a blanker redirect (301 or 302) since the 'script' it is looking
for will be in the Location header.
>
>should nessus (nasl):
>A) FOLLOW THE REDIRECT and 'attack' the site that its redirecting to
(BAD FORM!  might redirect to www.fbi.gov!)
>
>B) do something similar to 'no404.html' (ie "yes30x.html"? and report
it?
>
>C) edit the http_keepalive.inc to consider a 301 and 302 as a 404?
>
>( have a private site that you can try postnuke_reviews_xss.nasl on
which I can send in email)
>
>
>  
>

-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@private
web: www.westpoint.ltd.uk


_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Previous message: Michel Arboi: "[Nessus-devel] New C functions for Nessus 2.2?"
• Maybe in reply to: Michael Scheidell: "[Plugins-writers] redirects and http plugins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Sep 16 2004 - 08:57:58 PDT