We are noticing that the whisker plugin (ID=10845) has been the main source of false positive CGI abuses. I think I found out why it is raising so many false positives for us:
It depends on no404.nasl. If no404.nasl detects that the server is "broken", then the whisker plugin aborts with no threats found, which sounds good. The problem is that no404.nasl does not treat "403 Permission Denied" requests as "found" while whisker does. Here are the changes that I would like to implement: Make no404.nasl store something in the kb when it gets 403 return codes. It would have to be a separate key so as to not interfere with existing plugins that depend on no404.nasl. Modify the whisker code to not bark about 403 requests if this new no404.nasl key is in the kb. Does this sound like a reasonable change? P.S. Sorry for cross-posting but it doesn't appear that there is much traffic on the nessus-devel list. Thanks, Erik
