On Jul 8, 2008, at 5:00 PM, Sebastián Bortnik wrote: > I'm new at the list. I dont know if this is the place to expose my > suggestion.
This is definitely on-topic for the list. > I'm working with Nessus and we saw (with my colleagues) this > description in plugin ID 10815: > "The remote host is running a web server that fails to adequately > sanitize request strings of malicious JavaScript." > > We think that XSS is a vulnerability on applications, not on servers. > > In my opinion, it must be: "... is running a web application that > fails ... " > > What do you think? What if it's wrong? Who is the responsible to > changes it? The goal of the plugin is to check web servers themselves for cross- site scripting issues. One common area where this happens is in error pages that fail to sanitize the request URL before including it in the output, such as was reported a while ago in Cherokee: http://www.securityfocus.com/archive/1/archive/1/430385/100/0/ threaded Also,if you study the requests the plugin generates, you'll see a number of them involve randomly-generated filenames, which suggests it's not testing any specific applications per se. George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
