not quite xss

[digininja]

This is reported as XSS and while the querystring is echo'd back the response code is 302 so it won't trigger in most browsers. Need to add a response code check as well as content.

HTTP/1.1 302 Object Moved
location: https://citrix.xxx.co.uk/catinfo?<u><b>TESTING
content-type: text/html
cache-control: private
connection: close

<head><body> This object may be found <a HREF="https://citrix.xxx.co.uk/catinfo?<u><b>TESTING">here</a> </body>

[sullo]

I updated the test... no reason it can't check for "> and be a real xss. I can't find any info on this catinfo XSS so the usefulness of the test is in question.

Regarding not being a vuln if it's a 302... I can't control the client side, so I'd report it to a client (maybe lower severity or mitigating factors, but I'd still report it!). We could argue that over a beer.

[digininja]

I was debating putting it in regardless, might add it.

On Wed, 3 Aug 2016, 04:43 sullo, notifications@github.com wrote:

I updated the test... no reason it can't check for "> and be a real xss. I can't find any info on this catinfo XSS so the usefulness of the test is in question.

Regarding not being a vuln if it's a 302... I can't control the client side, so I'd report it to a client (maybe lower severity or mitigating factors, but I'd still report it!). We could argue that over a beer.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/408#issuecomment-237127843, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWVAK20-crbJezz_HVB2do5qJcdTUks5qcA5ugaJpZM4JbBf3 .