Nmap Developmentmailing list archives
nse script for Apache HTTP Server 413 Error Page XSS
From: jah <jah () zadkiel plus com>
Date: Tue, 04 Dec 2007 15:59:07 +0000
As a learning exercise, I thought I'd fire up backtrack and have a playwith scapy.py, to see if I could find any apache servers vulnerable tothe Apache HTTP Server 413 Error Page XSS issue disclosed on athttp://www.procheckup.com/Vulnerability_PR07-37.phpThis was my first foray into Python land and I found it hard going andabandoned the idea when I thought "This would be much easier with nmap"So I wrote the attached script. Well maybe 'wrote' is overstating it, Icobbled it together from Dimans HTTPVersion and HTMLTitle scripts and alittle learning from the nse api docs.I only submit it here as a request, if anyone pleases (at theirleisure), for comments on it's well-formedness and perceived usefulnessas it's my first attempt at an nse script. I'm particularly interestedin any envisaged problems with the script and I'd also like to knowwhether it is best-practise to only produce output if we get a positiveresult.
The script sends a crafted HTTP request:<badchars> / HTTP/1.1Host: target-domain:portConnection: closeContent-length: -1[LF][LF]and a vulnerable server will respond without escaping <badchars>:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>413 Request Entity Too Large</title></head><body><h1>Request Entity Too Large</h1>The requested resource<br />/index.html<br />does not allow request data with <badchars> requests, or the amount ofdata provided in
the request exceeds the capacity limit.<hr><address>Apache/2.2.2 (Fedora) Server at <snip> Port 80</address></body></html>I'm amazed at how many vulnerable servers there are out there. I've runthe following scan many times to see get a feel for the different responses:nmap -iR 500 -p80 -sV -sS --script showHTTP413XSS.nse --log-errors--script-traceand about 30% of apache web servers that are publicly serving arevulnerable which cannot be good. As I understand it, the possibleexploits will likely make use of Flash actionscript (v6 & 7) which cansend HTTP requests via the web browser.
jah
description = "Tests for XSS on Apache HTTP Server 413 error pages via malformed HTTP method\exploitable by Forging HTTP request headers using Flash Actionscript\seehttp://www.procheckup.com/Vulnerability_PR07-37.php for details\Usage: \Requires Version Detection to identify Apache webservers\Example: nmap <target> -p80 -sV --script showHTTP413XSS"id = "HTTP 413 XSS"author = "jah <jah at zadkiel.plus.com>"license = "See nmaps COPYING for licence"categories = {"vulnerability"}runlevel = 1.0portrule = function(host, port) if (port.number == 80 or port.service == "http") and port.protocol == "tcp" and port.state == "open" and port.version.product ~= nil and string.match(port.version.product, "Apache") then return true else return false endendaction = function(host, port) local query = "<badchars> / HTTP/1.1\r\n" query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n" query = query .. "Connection: close\r\n" query = query .. "Content-length: -1\r\n\r\n\r\n" local socket = nmap.new_socket() local catch = function() socket:close() end local try = nmap.new_try(catch) try(socket:connect(host.ip, port.number)) try(socket:send(query)) local response = "" local status local lines local result local payload while true do status, lines = socket:receive_lines(1) if not status then break end response = response .. lines end try(socket:close()) socket:close() payload = string.match(response, "<badchars>") if payload ~= nil then result = "The server is VULNERABLE to XSS by way of spoofed HTTP METHOD" else -- result = "The server is NOT vulnerable to XSS by way of spoofed HTTP METHOD" result = nil end return resultend
_______________________________________________Sent through the nmap-dev mailing listhttp://cgi.insecure.org/mailman/listinfo/nmap-devArchived athttp://SecLists.Org
Current thread:
- nse script for Apache HTTP Server 413 Error Page XSSjah (Dec 04)