I have two patch suggestions for Nessus 2.01. This is the first time I've suggested a patch to the Nessus team so if I have made any errors in the process of bringing these to you, please feel free to correct me off list.
I've been having a devil of a time with a web site that uses redirection instead of publishing 404 errors for non-existent files. After spending time in the source, I think I have found two issues that, if patched, can increase the accuracy of Nessus in these situations.
First the no404.nasl plugin does not detect 301 redirections as it was coded to detect 302 redirections. The patch below will allow no404.nasl to detect both 301 and 302 redirections. I added a message explaining the VA ramifications of using redirection instead of 404 pages.
The second patch involves the is_cgi_installed_by_port function in www_funcs.c in nessus-libraries. The original function assumes that a 301 or 302 redirection means that the webmaster has relocated the item being checked and Nessus dutifully follows the redirection to verify if the CGI exists. The issue is that if Nessus follows a redirection when we are using 301 or 302 for 404 duties, the CGI will always appear to exist because the redirection will lead Nessus to something that will give a 200 status. In the patch below, if Nessus receives a 301 or 302 redirection on a CGI check, it will first verify the status of the output of no404.nasl. If the no404.nasl plugin indicates that we are using 301/302 instead of 404 it will determine that the CGI is not installed.
The only downside to this approach is that if a webmaster indeed does use a 301/302 redirect for a real CGI, Nessus will ignore the fact that the CGI exists. I tried to spell this out in the patch to no404.nasl.
Feedback is always appreciated!
-Art
--- no404.nasl.orig 2003-03-04 13:09:56.000000000 -0600
+++ no404.nasl 2003-03-04 13:10:20.000000000 -0600
@@ -198,6 +198,28 @@
}
}
+ # check for a 301 Moved
+ if(ereg(pattern:"^HTTP.*301", string:raw_http_line))
+ {
+ # put the first line of the response as no404 msg ;)
+ found = string("www/no404/", port);
+ set_kb_item(name:found, value:raw_http_line);
+
+ msg = "
+This web server is redirecting requests for pages
+it can not find to another page. Nessus will use this
+information to reduce the number of false positives
+in this scan.
+
+NOTE: If this web server uses a redirect to serve a
+real CGI program the CGI will *NOT* be identified by
+Nessus because of the use of 301 redirects for 404 errors.
+";
+ security_note(port: port, data: msg);
+ if(debug) display("301: Using ", raw_http_line, "\n");
+ exit(0);
+ }
+
# check for a 302 Moved
if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
{
@@ -205,7 +227,17 @@
found = string("www/no404/", port);
set_kb_item(name:found, value:raw_http_line);
- security_note(port);
+ msg = "
+This web server is redirecting requests for pages
+it can not find to another page. Nessus will use this
+information to reduce the number of false positives
+in this scan.
+
+NOTE: If this web server uses a redirect to serve a
+real CGI program the CGI will *NOT* be identified by
+Nessus because of the use of 302 redirects for 404 errors.
+";
+ security_note(port: port, data: msg);
if(debug) display("302: Using ", raw_http_line, "\n");
exit(0);
}
--- www_funcs.c.orig 2003-02-09 10:13:01.000000000 -0600
+++ www_funcs.c 2003-03-03 16:48:19.000000000 -0600
@@ -791,6 +791,18 @@
}
else if(strstr(line, " 301 ") ||
strstr(line, " 302 ")){
+
+ if(no404)
+ {
+ if(ne_strcasestr(buff, no404))
+ {
+ /* redirect matches the no404 string
+ * this means that this CGI is not found */
+ i = 0;
+ break;
+ }
+ }
+
/*
* Redirection
*/
--
Art Green V: +1-608-937-5226
Sr. Security Analyst
Lands' End, Inc.
1 Lands' End Lane
Dodgeville, WI 53595
Visit us on the web: http://www.landsend.com
--
I've been having a devil of a time with a web site that uses redirection instead of publishing 404 errors for non-existent files. After spending time in the source, I think I have found two issues that, if patched, can increase the accuracy of Nessus in these situations.
First the no404.nasl plugin does not detect 301 redirections as it was coded to detect 302 redirections. The patch below will allow no404.nasl to detect both 301 and 302 redirections. I added a message explaining the VA ramifications of using redirection instead of 404 pages.
The second patch involves the is_cgi_installed_by_port function in www_funcs.c in nessus-libraries. The original function assumes that a 301 or 302 redirection means that the webmaster has relocated the item being checked and Nessus dutifully follows the redirection to verify if the CGI exists. The issue is that if Nessus follows a redirection when we are using 301 or 302 for 404 duties, the CGI will always appear to exist because the redirection will lead Nessus to something that will give a 200 status. In the patch below, if Nessus receives a 301 or 302 redirection on a CGI check, it will first verify the status of the output of no404.nasl. If the no404.nasl plugin indicates that we are using 301/302 instead of 404 it will determine that the CGI is not installed.
The only downside to this approach is that if a webmaster indeed does use a 301/302 redirect for a real CGI, Nessus will ignore the fact that the CGI exists. I tried to spell this out in the patch to no404.nasl.
Feedback is always appreciated!
-Art
--- no404.nasl.orig 2003-03-04 13:09:56.000000000 -0600
+++ no404.nasl 2003-03-04 13:10:20.000000000 -0600
@@ -198,6 +198,28 @@
}
}
+ # check for a 301 Moved
+ if(ereg(pattern:"^HTTP.*301", string:raw_http_line))
+ {
+ # put the first line of the response as no404 msg ;)
+ found = string("www/no404/", port);
+ set_kb_item(name:found, value:raw_http_line);
+
+ msg = "
+This web server is redirecting requests for pages
+it can not find to another page. Nessus will use this
+information to reduce the number of false positives
+in this scan.
+
+NOTE: If this web server uses a redirect to serve a
+real CGI program the CGI will *NOT* be identified by
+Nessus because of the use of 301 redirects for 404 errors.
+";
+ security_note(port: port, data: msg);
+ if(debug) display("301: Using ", raw_http_line, "\n");
+ exit(0);
+ }
+
# check for a 302 Moved
if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
{
@@ -205,7 +227,17 @@
found = string("www/no404/", port);
set_kb_item(name:found, value:raw_http_line);
- security_note(port);
+ msg = "
+This web server is redirecting requests for pages
+it can not find to another page. Nessus will use this
+information to reduce the number of false positives
+in this scan.
+
+NOTE: If this web server uses a redirect to serve a
+real CGI program the CGI will *NOT* be identified by
+Nessus because of the use of 302 redirects for 404 errors.
+";
+ security_note(port: port, data: msg);
if(debug) display("302: Using ", raw_http_line, "\n");
exit(0);
}
--- www_funcs.c.orig 2003-02-09 10:13:01.000000000 -0600
+++ www_funcs.c 2003-03-03 16:48:19.000000000 -0600
@@ -791,6 +791,18 @@
}
else if(strstr(line, " 301 ") ||
strstr(line, " 302 ")){
+
+ if(no404)
+ {
+ if(ne_strcasestr(buff, no404))
+ {
+ /* redirect matches the no404 string
+ * this means that this CGI is not found */
+ i = 0;
+ break;
+ }
+ }
+
/*
* Redirection
*/
--
Art Green V: +1-608-937-5226
Sr. Security Analyst
Lands' End, Inc.
1 Lands' End Lane
Dodgeville, WI 53595
Visit us on the web: http://www.landsend.com
--