Nmap Development mailing list archives
New script for nmap that test XST vulnerability
From: Wagiro <Edu () wagiro es>
Date: Fri, 09 Jul 2010 11:46:23 +0200
Hi people, I write a new script for nmap. This script test the Cross Site Tracing vulnerability. Nmap have two scripts that test the TRACE method "http-methods and http-trace", but not test the XST vulnerability. The http-methods only test with OPTIONS request, but if OPTION request is disabled and TRACE request enable, this script don't detect the TRACE method. The second script "http-trace" "Sends an HTTP TRACE request and shows header fields that were modified in the response" but not test the XST vulnerability. Here an example of the execution of the script: #nmap --script=http-xst.nse 192.168.1.0/24 Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-08 09:28 CEST NSE: Script Scanning completed. Nmap scan report for 192.168.0.10 Host is up (0.012s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:1D:20:FA:AD:3D NSE: Script scanning 192.168.0.66. NSE: Starting runlevel 1 (of 1) scan. NSE: Script Scanning completed. Nmap scan report for 192.168.0.66 Host is up (0.000014s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http | http-xst: This Server it's vulnerable to Cross Site Tracing. | Request: | TRACE / HTTP/1.0 | Via: <script>alert('XSS')</script> | | Response: | HTTP/1.1 200 OK | Date: Thu, 08 Jul 2010 07:28:34 GMT | Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch | Connection: close | Content-Type: message/http | | TRACE / HTTP/1.0 | Via: <script>alert('XSS')</script> |_ 443/tcp open https | http-xst: This Server it's vulnerable to Cross Site Tracing. | Request: | TRACE / HTTP/1.0 | Via: <script>alert('XSS')</script> | | Response: | HTTP/1.1 200 OK | Date: Thu, 08 Jul 2010 07:28:34 GMT | Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch | Connection: close | Content-Type: message/http | | TRACE / HTTP/1.0 | Via: <script>alert('XSS')</script> |_ Nmap done: 256 IP addresses (2 hosts up) scanned in 6.29 seconds Here's the code of http-xst.nse ---------------------------------------------------------------------------------------------------------------------------- description = [[Sends an HTTP TRACE request for test Cross Site Tracing vulnerability.]] --- -- @output -- 80/tcp open http -- | http-xst: This Server it's vulnerable to Cross Site-Tracing. -- | Request: -- | TRACE / HTTP/1.0 -- | Via: <script>alert('XSS')</script> -- | -- | Response: -- | HTTP/1.1 200 OK -- | Date: Sun, 04 Jul 2010 15:41:25 GMT -- | Server: Apache -- | Connection: close -- | Content-Type: message/http -- | -- | TRACE / HTTP/1.0 -- | Via: <script>alert('XSS')</script> -- |_ -- 04/07/2010 author = "Eduardo Garcia Melia <egarcia () isecauditors com>" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "intrusive"} require "comm" require "shortport" require "stdnse" portrule = shortport.port_or_service({80, 8080, 443, 8443}, {"http", "https", "http-alt", "https-alt"}) action = function(host, port) local start, stop, body local request = "TRACE / HTTP/1.0\r\nVia: <script>alert('XSS')</script>\r\n\r\n" local sd, response = comm.tryssl(host, port, request, false) if not sd then stdnse.print_debug("Unable to open connection") return end if not response:match("HTTP/1.[01] 200") or not response:match("TRACE / HTTP/1.0") then return end start, stop = response:find("\r\n\r\n") body = response:sub(stop + 1) if request == body then local output = "This Server it's vulnerable to Cross Site Tracing.\n" output = output .. "Request:\n" output = output .. request .. "\n" output = output .. "Response:\n" return output .. response .. "\n" end end --------------------------------------------------------------------------------------------------------------------- Regards, Eduardo. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New script for nmap that test XST vulnerability Wagiro (Jul 09)
- Re: New script for nmap that test XST vulnerability Rob Nicholls (Jul 09)
- Re: New script for nmap that test XST vulnerability Wagiro (Jul 09)
- Re: New script for nmap that test XST vulnerability David Fifield (Aug 08)
- Re: New script for nmap that test XST vulnerability Rob Nicholls (Jul 09)