All- Running a scan against a single apache web server, with plug-in #10672, and 10662 with the following options selected:
Plug-in #10672 "Send POST requests" Plug-in #10662 "Follow dynamic pages" I also selected the following plug-in prefs: experimental scripts Enable cgi scanning Thorough tests The following options were unselected: Optimize the test Safe checks For some reason which I'm unable to explain, the Nessus scanner will not detect XSS vulnerabilities in my server.. I'm using Nessus 2.2.10 and updated the plug-ins last night (registered feed). Any suggestions? -----Original Message----- From: George A. Theall [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2008 11:13 AM To: Christopher Ashby Subject: Re: Nessus XSS Discoveries > Sorry for the confusion, Below is the xss issues discovered by the > third > party, what I sent before is what nessus found. Thanks. Nessus plugin #10672 should catch this sort of issue, although its effectiveness will depend on how you configure it and plugin #10662 (Web mirroring): - The former's option "Send POST requests" controls whether POSTs will be tested. It is set to "no" by default. - The later's option "Follow dynamic pages" controls whether links such as "/action.php?id=42" are followed. It is set to "no" by default. Be careful about enabling either on a production server as they could end up negatively impacting a target, say by posting bogus "comments" to a forum or following a link such as "/action.php?id=42&delete=yes". George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
