Nmap Development mailing list archives
Re: NSE for checking crossdomain.xml
From: Seth Art <sethsec () gmail com>
Date: Wed, 8 Apr 2015 14:11:02 -0400
Paulino - Thanks so much for fixing up and adding the script. This is my first contribution to a well known open source project, and it feels so great to see it live! Thanks you Daniel also for digging it up from the mailing list! -Seth On Wed, Apr 8, 2015 at 12:05 PM, Paulino Calderon Pale < paulino () calderonpale com> wrote:
Hi, I’ve committed in r34406 an updated version of this script which fixes an issue with the web service, adds structured output, removes unnecessary code by using stones and fixes a couple of bugs related to tld handling. Thank you Seth for your submission. It took us some time but we finally got it included! This script certainly adds a necessary check needed while testing RIA applications. http-crossdomainxml: https://svn.nmap.org/nmap/scripts/http-crossdomainxml.nse Cheers. On Sep 29, 2014, at 10:47 PM, Seth Art <sethsec () gmail com> wrote: List, I've created a NSE script that looks for the existence of crossdomain.xml files and will provide the user with the following information: 1) If a wildcard exists, it will alert the user. 2) If specific domains are trusted by the crossdomain.xml, it will tell the user that there could still be risk, and it will give the user a comma delimited list of domains that are trusted, and encourage the user to check the availability of the trusted domains. You can see this better in the sample output in the NSE. https://github.com/sethsec/crossdomain-exploitation-framework/blob/master/http-crossdomain.nse For more information on what this script does, skip to the 20th minute of my DerbyCon talk from this weekend: https://www.youtube.com/watch?v=v_5dTJYjSMA&list=UU4PBNDLlS4d75MP0xxcukGA Like Mariusz who just posted a few hours ago, this is also my first NSE, and I'm completely open to feedback or guidance. For those that are wondering, the reason I did not go with an version that automatically does the lookup, is that I could not find a domain availability lookup source that allows access to an API without an API key. If anyone has a way to check domain availability that is completely open and in line with the terms of service, I'd be very interested to automate that portion of this script. Regards, Seth Art _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE for checking crossdomain.xml Paulino Calderon Pale (Apr 08)
- Re: NSE for checking crossdomain.xml Seth Art (Apr 08)