Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] New script http-unsafe-output-encoding
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 15 Dec 2011 07:20:39 +0100

On Sun, Dec 11, 2011 at 9:56 PM, Martin Holst Swende <martin () swende se>wrote:

On 12/11/2011 08:52 PM, Patrik Karlsson wrote:
Hi list,

I just committed a new script called http-grep. It does pretty much what
the name suggests and enables you to search for patterns within spidered
web pages.
I've included a few example usages and their responses, but the script
can
obviously be used for a lot more:
You're on fire!

I also threw together a script, based on an old tool I wrote a long time
ago and which serves me very well (https://bitbucket.org/holiman/jinx)

I basically ported it to nmap using the new spider. What it does is:
- Checks if a spidered page contained parameters
(x=foobar&y=gazonk&z=funzip)
- If so, checks if any of these were reflected on the page ( e.g,
"foobar" and "funzip" was found)
- If N reflections were found, creates N new urls:
   -- x=foobar<payload>&y=gazonk&z=funzip
   -- x=foobar&y=gazonk&z=funzip<payload>
   -- The payload is this : ghz>hzx"zxc'xcv
- For each of these N new links, it fetches the content. In the content,
it checks if any  of the "dangerous" characters were reflected without
proper html-encoding.

If any such things are found, chances are high this page is vulnerable
to reflected XSS.

Regards,
Martin


Thanks for the contribution Martin! I've renamed the script to
http-unsafe-output-escaping and made some minor cleanup.
It's committed as r27488.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault