Home page logo
/

nmap-dev logo Nmap Development mailing list archives

nse script for Apache HTTP Server 413 Error Page XSS
From: jah <jah () zadkiel plus com>
Date: Tue, 04 Dec 2007 15:59:07 +0000

As a learning exercise, I thought I'd fire up backtrack and have a play with scapy.py, to see if I could find any apache servers vulnerable to the Apache HTTP Server 413 Error Page XSS issue disclosed on at http://www.procheckup.com/Vulnerability_PR07-37.php This was my first foray into Python land and I found it hard going and abandoned the idea when I thought "This would be much easier with nmap" So I wrote the attached script. Well maybe 'wrote' is overstating it, I cobbled it together from Dimans HTTPVersion and HTMLTitle scripts and a little learning from the nse api docs.

I only submit it here as a request, if anyone pleases (at their leisure), for comments on it's well-formedness and perceived usefulness as it's my first attempt at an nse script. I'm particularly interested in any envisaged problems with the script and I'd also like to know whether it is best-practise to only produce output if we get a positive result.

The script sends a crafted HTTP request:

<badchars> / HTTP/1.1
Host: target-domain:port
Connection: close
Content-length: -1
[LF]
[LF]

and a vulnerable server will respond without escaping <badchars>:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/index.html<br />
does not allow request data with <badchars> requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.2.2 (Fedora) Server at <snip> Port 80</address>
</body></html>

I'm amazed at how many vulnerable servers there are out there. I've run the following scan many times to see get a feel for the different responses:

nmap -iR 500 -p80 -sV -sS --script showHTTP413XSS.nse --log-errors --script-trace

and about 30% of apache web servers that are publicly serving are vulnerable which cannot be good. As I understand it, the possible exploits will likely make use of Flash actionscript (v6 & 7) which can send HTTP requests via the web browser.


jah

description = "Tests for XSS on Apache HTTP Server 413 error pages via malformed HTTP method\
exploitable by Forging HTTP request headers using Flash Actionscript\
see http://www.procheckup.com/Vulnerability_PR07-37.php for details\
Usage: \
Requires Version Detection to identify Apache webservers\
Example: nmap <target> -p80 -sV --script showHTTP413XSS"

id = "HTTP 413 XSS"

author = "jah <jah at zadkiel.plus.com>"

license = "See nmaps COPYING for licence"

categories = {"vulnerability"}

runlevel = 1.0

portrule = function(host, port)

        if
                (port.number == 80
                or port.service == "http")
                and port.protocol == "tcp" 
                and port.state == "open"
                and port.version.product ~= nil
                and string.match(port.version.product, "Apache")
        then
                return true
        else
                return false
        end
end


action = function(host, port)

        local query = "<badchars> / HTTP/1.1\r\n"
        query = query .. "Host: " .. host.ip .. ":" .. port.number .. "\r\n"
        query = query .. "Connection: close\r\n"
        query = query .. "Content-length: -1\r\n\r\n\r\n"
        
        local socket = nmap.new_socket()
        local catch = function()
                socket:close()
        end
        local try = nmap.new_try(catch)

        try(socket:connect(host.ip, port.number))
        try(socket:send(query))

        local response = ""
        local status
        local lines
        local result
        local payload
        
        while true do
                status, lines = socket:receive_lines(1)

                if not status then
                        break
                end

                response = response .. lines
        end

        try(socket:close())
        socket:close()
        
        payload = string.match(response, "<badchars>")
                        
        if payload ~= nil then
                result = "The server is VULNERABLE to XSS by way of spoofed HTTP METHOD"
        else
                -- result = "The server is NOT vulnerable to XSS by way of spoofed HTTP METHOD"
                result = nil
        end
        
        return result
end

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
  • nse script for Apache HTTP Server 413 Error Page XSS jah (Dec 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]