Nmap Development mailing list archives
Re: [NSE] New script http-unsafe-output-encoding
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 15 Dec 2011 10:30:19 +0100
On Thu, Dec 15, 2011 at 8:40 AM, Martin Holst Swende <martin () swende se>wrote:
** On 12/15/2011 07:20 AM, Patrik Karlsson wrote: On Sun, Dec 11, 2011 at 9:56 PM, Martin Holst Swende <martin () swende se>wrote:On 12/11/2011 08:52 PM, Patrik Karlsson wrote:Hi list, I just committed a new script called http-grep. It does pretty much what the name suggests and enables you to search for patterns within spidered web pages. I've included a few example usages and their responses, but the scriptcanobviously be used for a lot more:You're on fire! I also threw together a script, based on an old tool I wrote a long time ago and which serves me very well (https://bitbucket.org/holiman/jinx) I basically ported it to nmap using the new spider. What it does is: - Checks if a spidered page contained parameters (x=foobar&y=gazonk&z=funzip) - If so, checks if any of these were reflected on the page ( e.g, "foobar" and "funzip" was found) - If N reflections were found, creates N new urls: -- x=foobar<payload>&y=gazonk&z=funzip -- x=foobar&y=gazonk&z=funzip<payload> -- The payload is this : ghz>hzx"zxc'xcv - For each of these N new links, it fetches the content. In the content, it checks if any of the "dangerous" characters were reflected without proper html-encoding. If any such things are found, chances are high this page is vulnerable to reflected XSS. Regards, MartinThanks for the contribution Martin! I've renamed the script to http-unsafe-output-escaping and made some minor cleanup. It's committed as r27488. Cheers, Patrik Nice! If we ever implement a html parser (and I mean a proper lexer-based parser, not a regexp based "parser", see http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454:) ), this script can be improved upon quite a bit. The imho best way to do this is to 1) Check where the reflected content is (what context). Common cases: 1.1 <tag>$content</tag> 1.2 <tag attr="$content" .. 1.3 <tag attr='$content' ... 1.4 <tag attr=$content ... 1.5 other or unknown because of invalid html 2) Depending on where the reflection(s) occurred, check only the characters required to break out of context (and potentially execute scripts): 1.1 < > 1.2 " 1.3 ' 1.4 whitespace 1.5 <>'" Patrick Donnely was interested in adding Lua LPeg a while back, perhaps we can find import some good html parser implementation based on LPeg? If we have that, I think it could be useful for a lot of other scripts and also the spider, which could use it to tackle non trivial link parsing such as the <base> tag and parsing forms. Regards, Martin
A good parser would certainly make things a lot easier. LPeg has been discussed a few times and I'm not sure where we're currently at with that. In regards to the base tag, there's already support for that in the spider. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] New script http-grep Patrik Karlsson (Dec 11)
- [NSE] New script http-unsafe-output-encoding Martin Holst Swende (Dec 11)
- Re: [NSE] New script http-unsafe-output-encoding Patrik Karlsson (Dec 14)
- Re: [NSE] New script http-unsafe-output-encoding Martin Holst Swende (Dec 14)
- Re: [NSE] New script http-unsafe-output-encoding Patrik Karlsson (Dec 15)
- Re: [NSE] New script http-unsafe-output-encoding Patrik Karlsson (Dec 14)
- [NSE] New script http-unsafe-output-encoding Martin Holst Swende (Dec 11)