[GSoC] Candidate on NSE Script Development and my first scripts

[George Chatzisofroniou <sophron () latthi com>]

Hello Nmap Developers, 

My name is George Chatzisofroniou and i'm 21 years old. I 
am an undergraduate student in the department of computer 
science at the University of Piraeus (Greece) where i also 
work as a system administrator for the last two years.

I'm very interested on joining the Nmap development team
starting by GSoC 2013. This is actually the second time i'm
participating in GSoC. Last year i developed a metrics
module for GNU/Mailman. This year i hope to join a
community that focus on infosec which is my primary area of
interest. Nmap is one of my favorite tools that seems to
have a good basic architecture while the details are still
evolving and ofcourse a great community -- a perfect
choice for GSoC.

While reading through the ideas in the wiki, the "Web
Scanning Specialist" looks very interesting.

To get my hands dirty early, i started hacking on NSE and i
developed my first two scripts:

* http-fileupload-exploiter [1]. This ideas is mentioned on
the wiki.  In total, this script performs 45 upload
requests to progressively exploit the fileupload mechanism.

* http-comments-displayer [2]. This script extracts and
outputs HTML/JS comments from HTTP responses.

Now, I noticed that the "high-priority" section on NSE
script ideas contains 3 interesting HTTP scripts:

* XML and HTML parsing. I think we could analyze the XML
file into nested tables using patterns. I've seen some
implementations, like this one [3] that look interesting.
I'm wondering if it makes sense to build this library in
C++ for efficiency or just stick to LUA for consistency.

* http-mirror. As mentioned, to make this possible we need
a wrapper to perform the system call and create the
directory for the mirrored site.

* http-nikto-fingerprints. Nikto's database is in CSV
format, so we could use some ready implementations like
this one for its parsing [4].

Some more ideas:

* http-csrf. This will try to generate a CSRF PoC but i'm
not sure if there is a simple way to test the effectiveness 
of the generated PoC.

* http-referer-checker. This will inform about cross-domain
include of scripts. This could work either by checking the
Accept-header */* where target domain differs from referer
domain, or simply by checking all links in the HTTP response.

* http-session-analyzer. This will test the randomness of
session tokens. We could implement FIPS 140-2 the same way 
Burp Sequencer does or find a wrapper that performs tests 
on random values.

* http-brute-phpsessid. This will perform a session
hijacking by brute forcing the PHP session ID in
applications that use the native PHP Session mechanism [5].

* Right now http-sql-injection uses the most basic form of
SQL injection. I think we need to perform more advanced
techniques like blind injections or stacked queries
probably in standalone scripts.

* There is only one XSS script right now
(http-phpself-xss). We need some scripts to perform
different kind of XSS, like stored, reflected or DOM-based.

That's all for now.

I would appreciate any comments,

[1]: https://github.com/sophron/nmap-nse-scripts/blob/master/scripts/http-fileupload-exploiter.nse
[2]: https://github.com/sophron/nmap-nse-scripts/blob/master/scripts/http-comments-displayer.nse
[3]: https://github.com/Cluain/Lua-Simple-XML-Parser
[4]: http://lua-users.org/lists/lua-l/2009-08/msg00012.html
[5]: http://berlin.ccc.de/~andreas/php-entropy-advisory.txt

-- 
George Chatzisofroniou
http://sophron.latthi.com

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/