Nmap Development mailing list archives
NSE for checking crossdomain.xml
From: Seth Art <sethsec () gmail com>
Date: Mon, 29 Sep 2014 23:47:04 -0400
List, I've created a NSE script that looks for the existence of crossdomain.xml files and will provide the user with the following information: 1) If a wildcard exists, it will alert the user. 2) If specific domains are trusted by the crossdomain.xml, it will tell the user that there could still be risk, and it will give the user a comma delimited list of domains that are trusted, and encourage the user to check the availability of the trusted domains. You can see this better in the sample output in the NSE. https://github.com/sethsec/crossdomain-exploitation-framework/blob/master/http-crossdomain.nse For more information on what this script does, skip to the 20th minute of my DerbyCon talk from this weekend: https://www.youtube.com/watch?v=v_5dTJYjSMA&list=UU4PBNDLlS4d75MP0xxcukGA Like Mariusz who just posted a few hours ago, this is also my first NSE, and I'm completely open to feedback or guidance. For those that are wondering, the reason I did not go with an version that automatically does the lookup, is that I could not find a domain availability lookup source that allows access to an API without an API key. If anyone has a way to check domain availability that is completely open and in line with the terms of service, I'd be very interested to automate that portion of this script. Regards, Seth Art _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE for checking crossdomain.xml Seth Art (Sep 29)
- Internship: Improving Nmap's IPv6 OS detection Mathias Morbitzer (Sep 30)