Mailing List Archive: False positive in nsm_format

False positive in nsm_format_strings.nasl

Aug 22, 2002, 2:28 AM

Post #1 of 4 (751 views)

Hi,

This is to remove a false positive in nsm_format_strings.nasl

100,105c100
<
< if ("HTTP/1.0 400 " >< r)
< {
< exit(0);
< }
<
---
>
Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com

Re: False positive in nsm_format_strings.nasl [ In reply to ]

deraison at nessus

Aug 22, 2002, 1:37 AM

Post #2 of 4 (728 views)

Permalink

On Thu, Aug 22, 2002 at 11:28:11AM +0200, Noam Rathaus wrote:
> Hi,
>
> This is to remove a false positive in nsm_format_strings.nasl
>
> 100,105c100
> <
> < if ("HTTP/1.0 400 " >< r)
> < {
> < exit(0);
> < }
> <

I fail to understand that. The logic in the code is :

- Request GET http://www.foobar.com HTTP/1.1
Authorization: (nessus:nessus)
- If we get a reply, we do :
GET http://www.foobar.com
Authorization: (some format strings)
- If we don't get any reply this time,
then the remote server problably crashed,
we issue an alert

Which server did produce a false positive ? Are you sure it's really
a false positive ?

-- Renaud

Re: False positive in nsm_format_strings.nasl [ In reply to ]

deraison at nessus

Aug 22, 2002, 2:10 AM

Post #3 of 4 (736 views)

Permalink

On Thu, Aug 22, 2002 at 11:46:49AM +0200, Noam Rathaus wrote:
> Hi,
>
> Why continue if the server responds with a "400 Bad Request" ? Why risk a false
> positive?

I don't see _how_ this can cause a false positive. In this case, we
don't care about the server reply - whether it accepts to proxy stuff to
us or not, or if it does not even know what proxying is, we don't care.
What we're interested in is the way it behaves when provided with a
badly formed Proxy-Authorization field. If it issues a code 400 on the
first request, it will do the same on the second one, so there's no
false positive here.

-- Renaud

Re: False positive in nsm_format_strings.nasl [ In reply to ]

noamr at beyondsecurity

Aug 22, 2002, 2:46 AM

Post #4 of 4 (744 views)

Permalink

Hi,

Why continue if the server responds with a "400 Bad Request" ? Why risk a false
positive?

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Renaud Deraison" <deraison@nessus.org>
To: "Nessus Plugin Mailing List" <plugins-writers@list.nessus.org>
Sent: Thursday, August 22, 2002 10:37 AM
Subject: Re: False positive in nsm_format_strings.nasl

> On Thu, Aug 22, 2002 at 11:28:11AM +0200, Noam Rathaus wrote:
> > Hi,
> >
> > This is to remove a false positive in nsm_format_strings.nasl
> >
> > 100,105c100
> > <
> > < if ("HTTP/1.0 400 " >< r)
> > < {
> > < exit(0);
> > < }
> > <
>
> I fail to understand that. The logic in the code is :
>
> - Request GET http://www.foobar.com HTTP/1.1
> Authorization: (nessus:nessus)
> - If we get a reply, we do :
> GET http://www.foobar.com
> Authorization: (some format strings)
> - If we don't get any reply this time,
> then the remote server problably crashed,
> we issue an alert
>
>
> Which server did produce a false positive ? Are you sure it's really
> a false positive ?
>
>
> -- Renaud
>