Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Do you mean that it does not follow:
Location: ?msg=Congrats!+You+made+it!
...or something else? Formally, it's not a valid form of redirection, but I
think it should work? What's the exact symptom?Original comment by lcam...@gmail.com on 10 Sep 2010 at 5:10
GoogleCodeExporter
commented
9 years ago I can't tell if it followed it or not but I'm pretty sure it didn't audit the
'msg' parameter.
If it had it would have found the XSS vulnerability.
Also, although it followed all the forms properly it didn't audit the 'rfi'
cookie either, which is set after the second form has been submitted.
I'll run some more tests to see what's happening...Original comment by Tasos.La...@gmail.com on 10 Sep 2010 at 5:36
GoogleCodeExporter
commented
9 years ago The best way to troubleshoot this is to do:
make clean debug
./skipfish [...usual stuff...] 2>logfile.txt
This will create a detailed crawl log; we be able to see if the scanner
actually followed the link, if it attempted any injection attacks against the
URL, and if not, why. Original comment by lcam...@gmail.com on 10 Sep 2010 at 6:47
GoogleCodeExporter
commented
9 years ago It seems that I were wrong.
It found both the cookie and the 'msg' var.
This time is reported the msg var to be vulnerable but it took no further
action regarding the 'rfi' cookie.
It doesn't seem to audit cookies at all.Original comment by Tasos.La...@gmail.com on 10 Sep 2010 at 7:09
Attachments:
GoogleCodeExporter
commented
9 years ago Nope, cookies are off the limits at this point. Checking them for XSS is
generally pointless; SQL injection, etc, is more interesting, and it's on my
TODO list.Original comment by lcam...@gmail.com on 10 Sep 2010 at 7:45
Original issue reported on code.google.com by
Tasos.La...@gmail.comon 10 Sep 2010 at 1:13