Nmap Development mailing list archives
nse script for Apache HTTP Server 413 Error Page XSS
From: jah <jah () zadkiel plus com>
Date: Tue, 04 Dec 2007 15:59:07 +0000
As a learning exercise, I thought I'd fire up backtrack and have a play with scapy.py, to see if I could find any apache servers vulnerable to the Apache HTTP Server 413 Error Page XSS issue disclosed on at http://www.procheckup.com/Vulnerability_PR07-37.php This was my first foray into Python land and I found it hard going and abandoned the idea when I thought "This would be much easier with nmap" So I wrote the attached script. Well maybe 'wrote' is overstating it, I cobbled it together from Dimans HTTPVersion and HTMLTitle scripts and a little learning from the nse api docs.
I only submit it here as a request, if anyone pleases (at their leisure), for comments on it's well-formedness and perceived usefulness as it's my first attempt at an nse script. I'm particularly interested in any envisaged problems with the script and I'd also like to know whether it is best-practise to only produce output if we get a positive result.
The script sends a crafted HTTP request: <badchars> / HTTP/1.1 Host: target-domain:port Connection: close Content-length: -1 [LF] [LF] and a vulnerable server will respond without escaping <badchars>: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>413 Request Entity Too Large</title> </head><body> <h1>Request Entity Too Large</h1> The requested resource<br />/index.html<br />does not allow request data with <badchars> requests, or the amount of data provided in
the request exceeds the capacity limit. <hr> <address>Apache/2.2.2 (Fedora) Server at <snip> Port 80</address> </body></html>I'm amazed at how many vulnerable servers there are out there. I've run the following scan many times to see get a feel for the different responses:
nmap -iR 500 -p80 -sV -sS --script showHTTP413XSS.nse --log-errors --script-trace
and about 30% of apache web servers that are publicly serving are vulnerable which cannot be good. As I understand it, the possible exploits will likely make use of Flash actionscript (v6 & 7) which can send HTTP requests via the web browser.
jah
description = "Tests for XSS on Apache HTTP Server 413 error pages via malformed HTTP method\ exploitable by Forging HTTP request headers using Flash Actionscript\ see http://www.procheckup.com/Vulnerability_PR07-37.php for details\ Usage: \ Requires Version Detection to identify Apache webservers\ Example: nmap <target> -p80 -sV --script showHTTP413XSS" id = "HTTP 413 XSS" author = "jah <jah at zadkiel.plus.com>" license = "See nmaps COPYING for licence" categories = {"vulnerability"} runlevel = 1.0 portrule = function(host, port) if (port.number == 80 or port.service == "http") and port.protocol == "tcp" and port.state == "open" and port.version.product ~= nil and string.match(port.version.product, "Apache") then return true else return false end end action = function(host, port) local query = "<badchars> / HTTP/1.1\r\n" query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n" query = query .. "Connection: close\r\n" query = query .. "Content-length: -1\r\n\r\n\r\n" local socket = nmap.new_socket() local catch = function() socket:close() end local try = nmap.new_try(catch) try(socket:connect(host.ip, port.number)) try(socket:send(query)) local response = "" local status local lines local result local payload while true do status, lines = socket:receive_lines(1) if not status then break end response = response .. lines end try(socket:close()) socket:close() payload = string.match(response, "<badchars>") if payload ~= nil then result = "The server is VULNERABLE to XSS by way of spoofed HTTP METHOD" else -- result = "The server is NOT vulnerable to XSS by way of spoofed HTTP METHOD" result = nil end return result end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nse script for Apache HTTP Server 413 Error Page XSS jah (Dec 04)