Re: New script for nmap that test XST vulnerability

[David Fifield <david () bamsoftware com>]

On Fri, Jul 09, 2010 at 11:46:23AM +0200, Wagiro wrote:
> I write a new script for nmap. This script test the Cross Site Tracing
> vulnerability. Nmap have two scripts that test the TRACE method
> "http-methods and http-trace", but not test the XST vulnerability.  The
> http-methods only test with OPTIONS request, but if OPTION request is
> disabled and TRACE request enable, this script don't detect  the TRACE
> method. The second script "http-trace" "Sends an HTTP TRACE request and
> shows header fields that were modified in the response" but not test the
> XST vulnerability.
>
> Here an example of the execution of the script:
>
> #nmap --script=http-xst.nse 192.168.1.0/24
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-08 09:28 CEST
> NSE: Script scanning 192.168.0.66.
> NSE: Starting runlevel 1 (of 1) scan.
> NSE: Script Scanning completed.
> Nmap scan report for 192.168.0.66
> Host is up (0.000014s latency).
> Not shown: 997 closed ports
> PORT     STATE SERVICE
> 80/tcp   open  http
> | http-xst: This Server it's vulnerable to Cross Site Tracing.
> | Request:
> | TRACE / HTTP/1.0
> | Via: <script>alert('XSS')</script>
> |
> | Response:
> | HTTP/1.1 200 OK
> | Date: Thu, 08 Jul 2010 07:28:34 GMT
> | Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch
> | Connection: close
> | Content-Type: message/http
> |
> | TRACE / HTTP/1.0
> | Via: <script>alert('XSS')</script>
> |_
>
> Nmap done: 256 IP addresses (2 hosts up) scanned in 6.29 seconds

Thank you for making this submission, and for doing such a nice job with
the documentation.

>       local request = "TRACE / HTTP/1.0\r\nVia: <script>alert('XSS')</script>\r\n\r\n"
>         if not response:match("HTTP/1.[01] 200") or
>            not response:match("TRACE / HTTP/1.0") then
>                 return
>         end

The first thing I suggest is that you should use the http library
instead of crafting requests and parsing HTTP.

http://nmap.org/nsedoc/lib/http.html

About the request, what is the purpose of <script>alert('XSS')</script>?
I may not understand correctly, but it seems to me that JavaScript
injection is not the danger of XST. Is the browser supposed to
HTML-escape it or something? These documents,

http://www.kb.cert.org/vuls/id/867593
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)

suggest that the main danger is cookie stealing, and as prevention only
say to disable TRACE completely. Even if the server did something to the
JavaScript, the threat of stealing secret information would remain.

I am asking whether this script has any advantage over http-methods,

http://nmap.org/nsedoc/scripts/http-methods

This script already notifies if TRACE is supported, which is enough,
because the specific contents of the TRACE response are not as
important. Your script directly tests whether TRACE is supported, which
would find it in case OPTIONS claims not to support it. http-methods
would not find it in this case. But then we have http-trace.

http://nmap.org/nsedoc/scripts/http-trace

http-trace doesn't report whether TRACE is enabled, only whether header
fields have changed. But perhaps it should always report when it
discovers TRACE, at the beginning of the output. The output would be

80/tcp open  http
|_http-trace: TRACE is supported.

80/tcp open  http
| http-trace: TRACE is supported.
| Response differs from request.  First 5 additional lines:
| Cookie: UID=d4287aa38d02f409841b4e0c0050c131...
| Country: us
| Ip_is_advertise_combined: yes
| Ip_conntype-Confidence: -1
|_Ip_line_speed: medium

Will you please submit a patch that does this modification to
http-trace?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/