Home page logo

nmap-dev logo Nmap Development mailing list archives

nse script for Apache HTTP Server 413 Error Page XSS
From: jah <jah () zadkiel plus com>
Date: Tue, 04 Dec 2007 15:59:07 +0000

As a learning exercise, I thought I'd fire up backtrack and have a play with scapy.py, to see if I could find any apache servers vulnerable to the Apache HTTP Server 413 Error Page XSS issue disclosed on at http://www.procheckup.com/Vulnerability_PR07-37.php This was my first foray into Python land and I found it hard going and abandoned the idea when I thought "This would be much easier with nmap" So I wrote the attached script. Well maybe 'wrote' is overstating it, I cobbled it together from Dimans HTTPVersion and HTMLTitle scripts and a little learning from the nse api docs.

I only submit it here as a request, if anyone pleases (at their leisure), for comments on it's well-formedness and perceived usefulness as it's my first attempt at an nse script. I'm particularly interested in any envisaged problems with the script and I'd also like to know whether it is best-practise to only produce output if we get a positive result.

The script sends a crafted HTTP request:

<badchars> / HTTP/1.1
Host: target-domain:port
Connection: close
Content-length: -1

and a vulnerable server will respond without escaping <badchars>:

<title>413 Request Entity Too Large</title>
<h1>Request Entity Too Large</h1>
The requested resource<br />/index.html<br />
does not allow request data with <badchars> requests, or the amount of data provided in
the request exceeds the capacity limit.
<address>Apache/2.2.2 (Fedora) Server at <snip> Port 80</address>

I'm amazed at how many vulnerable servers there are out there. I've run the following scan many times to see get a feel for the different responses:

nmap -iR 500 -p80 -sV -sS --script showHTTP413XSS.nse --log-errors --script-trace

and about 30% of apache web servers that are publicly serving are vulnerable which cannot be good. As I understand it, the possible exploits will likely make use of Flash actionscript (v6 & 7) which can send HTTP requests via the web browser.


description = "Tests for XSS on Apache HTTP Server 413 error pages via malformed HTTP method\
exploitable by Forging HTTP request headers using Flash Actionscript\
see http://www.procheckup.com/Vulnerability_PR07-37.php for details\
Usage: \
Requires Version Detection to identify Apache webservers\
Example: nmap <target> -p80 -sV --script showHTTP413XSS"

id = "HTTP 413 XSS"

author = "jah <jah at zadkiel.plus.com>"

license = "See nmaps COPYING for licence"

categories = {"vulnerability"}

runlevel = 1.0

portrule = function(host, port)

                (port.number == 80
                or port.service == "http")
                and port.protocol == "tcp" 
                and port.state == "open"
                and port.version.product ~= nil
                and string.match(port.version.product, "Apache")
                return true
                return false

action = function(host, port)

        local query = "<badchars> / HTTP/1.1\r\n"
        query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n"
        query = query .. "Connection: close\r\n"
        query = query .. "Content-length: -1\r\n\r\n\r\n"
        local socket = nmap.new_socket()
        local catch = function()
        local try = nmap.new_try(catch)

        try(socket:connect(host.ip, port.number))

        local response = ""
        local status
        local lines
        local result
        local payload
        while true do
                status, lines = socket:receive_lines(1)

                if not status then

                response = response .. lines

        payload = string.match(response, "<badchars>")
        if payload ~= nil then
                result = "The server is VULNERABLE to XSS by way of spoofed HTTP METHOD"
                -- result = "The server is NOT vulnerable to XSS by way of spoofed HTTP METHOD"
                result = nil
        return result

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
  • nse script for Apache HTTP Server 413 Error Page XSS jah (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]