Nmap Development mailing list archives
Re: New script for nmap that test XST vulnerability
From: David Fifield <david () bamsoftware com>
Date: Sun, 8 Aug 2010 20:32:44 -0600
On Fri, Jul 09, 2010 at 11:46:23AM +0200, Wagiro wrote:
I write a new script for nmap. This script test the Cross Site Tracing vulnerability. Nmap have two scripts that test the TRACE method "http-methods and http-trace", but not test the XST vulnerability. The http-methods only test with OPTIONS request, but if OPTION request is disabled and TRACE request enable, this script don't detect the TRACE method. The second script "http-trace" "Sends an HTTP TRACE request and shows header fields that were modified in the response" but not test the XST vulnerability. Here an example of the execution of the script: #nmap --script=http-xst.nse 192.168.1.0/24 Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-08 09:28 CEST NSE: Script scanning 192.168.0.66. NSE: Starting runlevel 1 (of 1) scan. NSE: Script Scanning completed. Nmap scan report for 192.168.0.66 Host is up (0.000014s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http | http-xst: This Server it's vulnerable to Cross Site Tracing. | Request: | TRACE / HTTP/1.0 | Via: <script>alert('XSS')</script> | | Response: | HTTP/1.1 200 OK | Date: Thu, 08 Jul 2010 07:28:34 GMT | Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch | Connection: close | Content-Type: message/http | | TRACE / HTTP/1.0 | Via: <script>alert('XSS')</script> |_ Nmap done: 256 IP addresses (2 hosts up) scanned in 6.29 seconds
Thank you for making this submission, and for doing such a nice job with the documentation.
local request = "TRACE / HTTP/1.0\r\nVia: <script>alert('XSS')</script>\r\n\r\n" if not response:match("HTTP/1.[01] 200") or not response:match("TRACE / HTTP/1.0") then return end
The first thing I suggest is that you should use the http library instead of crafting requests and parsing HTTP. http://nmap.org/nsedoc/lib/http.html About the request, what is the purpose of <script>alert('XSS')</script>? I may not understand correctly, but it seems to me that JavaScript injection is not the danger of XST. Is the browser supposed to HTML-escape it or something? These documents, http://www.kb.cert.org/vuls/id/867593 http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008) suggest that the main danger is cookie stealing, and as prevention only say to disable TRACE completely. Even if the server did something to the JavaScript, the threat of stealing secret information would remain. I am asking whether this script has any advantage over http-methods, http://nmap.org/nsedoc/scripts/http-methods This script already notifies if TRACE is supported, which is enough, because the specific contents of the TRACE response are not as important. Your script directly tests whether TRACE is supported, which would find it in case OPTIONS claims not to support it. http-methods would not find it in this case. But then we have http-trace. http://nmap.org/nsedoc/scripts/http-trace http-trace doesn't report whether TRACE is enabled, only whether header fields have changed. But perhaps it should always report when it discovers TRACE, at the beginning of the output. The output would be 80/tcp open http |_http-trace: TRACE is supported. 80/tcp open http | http-trace: TRACE is supported. | Response differs from request. First 5 additional lines: | Cookie: UID=d4287aa38d02f409841b4e0c0050c131... | Country: us | Ip_is_advertise_combined: yes | Ip_conntype-Confidence: -1 |_Ip_line_speed: medium Will you please submit a patch that does this modification to http-trace? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New script for nmap that test XST vulnerability Wagiro (Jul 09)
- Re: New script for nmap that test XST vulnerability Rob Nicholls (Jul 09)
- Re: New script for nmap that test XST vulnerability Wagiro (Jul 09)
- Re: New script for nmap that test XST vulnerability David Fifield (Aug 08)
- Re: New script for nmap that test XST vulnerability Rob Nicholls (Jul 09)