Nmap Development mailing list archives
Re: [GSoC] Candidate on NSE Script Development and my first scripts
From: David Fifield <david () bamsoftware com>
Date: Tue, 30 Apr 2013 00:52:21 -0700
On Sun, Apr 28, 2013 at 06:57:43PM +0300, George Chatzisofroniou wrote:
My name is George Chatzisofroniou and i'm 21 years old. I am an undergraduate student in the department of computer science at the University of Piraeus (Greece) where i also work as a system administrator for the last two years. I'm very interested on joining the Nmap development team starting by GSoC 2013. This is actually the second time i'm participating in GSoC. Last year i developed a metrics module for GNU/Mailman. This year i hope to join a community that focus on infosec which is my primary area of interest. Nmap is one of my favorite tools that seems to have a good basic architecture while the details are still evolving and ofcourse a great community -- a perfect choice for GSoC. While reading through the ideas in the wiki, the "Web Scanning Specialist" looks very interesting. To get my hands dirty early, i started hacking on NSE and i developed my first two scripts: * http-fileupload-exploiter [1]. This ideas is mentioned on the wiki. In total, this script performs 45 upload requests to progressively exploit the fileupload mechanism. * http-comments-displayer [2]. This script extracts and outputs HTML/JS comments from HTTP responses.
Thank you, these scripts look nice. Were you able to test http-fileupload-exploiter against any real software? If so, what was it and what were the results?
Now, I noticed that the "high-priority" section on NSE script ideas contains 3 interesting HTTP scripts: * XML and HTML parsing. I think we could analyze the XML file into nested tables using patterns. I've seen some implementations, like this one [3] that look interesting. I'm wondering if it makes sense to build this library in C++ for efficiency or just stick to LUA for consistency.
I would prefer a library that uses an event- or pull-driven model over one that parses an entire document at once and gives you nested tables. Please see http://seclists.org/nmap-dev/2011/q3/25 and http://seclists.org/nmap-dev/2011/q2/1281 for a previous prototype. I want to avoid with the XML parser the bug we have with the http library: you have to buffer a huge document in memory in order to do anything with it.
* http-mirror. As mentioned, to make this possible we need a wrapper to perform the system call and create the directory for the mirrored site. * http-nikto-fingerprints. Nikto's database is in CSV format, so we could use some ready implementations like this one for its parsing [4]. Some more ideas: * http-csrf. This will try to generate a CSRF PoC but i'm not sure if there is a simple way to test the effectiveness of the generated PoC. * http-referer-checker. This will inform about cross-domain include of scripts. This could work either by checking the Accept-header */* where target domain differs from referer domain, or simply by checking all links in the HTTP response. * http-session-analyzer. This will test the randomness of session tokens. We could implement FIPS 140-2 the same way Burp Sequencer does or find a wrapper that performs tests on random values. * http-brute-phpsessid. This will perform a session hijacking by brute forcing the PHP session ID in applications that use the native PHP Session mechanism [5]. * Right now http-sql-injection uses the most basic form of SQL injection. I think we need to perform more advanced techniques like blind injections or stacked queries probably in standalone scripts. * There is only one XSS script right now (http-phpself-xss). We need some scripts to perform different kind of XSS, like stored, reflected or DOM-based.
These are good ideas; putting them together should make a strong proposal. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [GSoC] Candidate on NSE Script Development and my first scripts George Chatzisofroniou (Apr 28)
- Re: [GSoC] Candidate on NSE Script Development and my first scripts David Fifield (Apr 30)
- Re: [GSoC] Candidate on NSE Script Development and my first scripts George Chatzisofroniou (Apr 30)
- Re: [GSoC] Candidate on NSE Script Development and my first scripts David Fifield (Apr 30)
- Re: [GSoC] Candidate on NSE Script Development and my first scripts George Chatzisofroniou (Apr 30)
- Re: [GSoC] Candidate on NSE Script Development and my first scripts David Fifield (Apr 30)