Re: New script for nmap that test XST vulnerability

[Rob Nicholls <robert () robnicholls co uk>]

On Fri, 09 Jul 2010 11:46:23 +0200, Wagiro <Edu () wagiro es> wrote:
> I write a new script for nmap. This script test the Cross Site Tracing
> vulnerability. Nmap have two scripts that test the TRACE method
> "http-methods and http-trace", but not test the XST vulnerability.  The
> http-methods only test with OPTIONS request, but if OPTION request is
> disabled and TRACE request enable, this script don't detect  the TRACE
> method. The second script "http-trace" "Sends an HTTP TRACE request and
> shows header fields that were modified in the response" but not test the
> XST vulnerability.

Hi Wagiro,

Thanks for picking this up, I'd completely forgotten that my modified
http-trace script that specifically checks for XST had stalled in its
development.

http://seclists.org/nmap-dev/2007/q4/617

A script to check this issue would still certainly be useful for me. I'm
concerned that your new script doesn't sufficiently check the output to
confirm XST, as any server that modifies the trace request (which would
probably get flagged by Kri's original script) could potentially generate a
false positive (although I admit it's probably unlikely). Is it possible
you could modify the script to send a fairly unique (perhaps use random
numbers in the alert?) attack and then check the returned body for the
malicious string we'd submitted to the server?

Cheers,

Rob


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/