Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] New script http-unsafe-output-encoding
From: Martin Holst Swende <martin () swende se>
Date: Thu, 15 Dec 2011 08:40:20 +0100

On 12/15/2011 07:20 AM, Patrik Karlsson wrote:


On Sun, Dec 11, 2011 at 9:56 PM, Martin Holst Swende <martin () swende se
<mailto:martin () swende se>> wrote:

    On 12/11/2011 08:52 PM, Patrik Karlsson wrote:
    > Hi list,
    >
    > I just committed a new script called http-grep. It does pretty
    much what
    > the name suggests and enables you to search for patterns within
    spidered
    > web pages.
    > I've included a few example usages and their responses, but the
    script can
    > obviously be used for a lot more:
    You're on fire!

    I also threw together a script, based on an old tool I wrote a
    long time
    ago and which serves me very well (https://bitbucket.org/holiman/jinx)

    I basically ported it to nmap using the new spider. What it does is:
    - Checks if a spidered page contained parameters
    (x=foobar&y=gazonk&z=funzip)
    - If so, checks if any of these were reflected on the page ( e.g,
    "foobar" and "funzip" was found)
    - If N reflections were found, creates N new urls:
       -- x=foobar<payload>&y=gazonk&z=funzip
       -- x=foobar&y=gazonk&z=funzip<payload>
       -- The payload is this : ghz>hzx"zxc'xcv
    - For each of these N new links, it fetches the content. In the
    content,
    it checks if any  of the "dangerous" characters were reflected without
    proper html-encoding.

    If any such things are found, chances are high this page is vulnerable
    to reflected XSS.

    Regards,
    Martin


Thanks for the contribution Martin! I've renamed the script to
http-unsafe-output-escaping and made some minor cleanup.
It's committed as r27488.

Cheers,
Patrik

Nice!

If we ever implement a html parser (and I mean a proper lexer-based
parser, not a regexp based "parser", see
http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454
:) ), this script can be improved upon quite a bit. The imho best way to
do this is to

1) Check where the reflected content is (what context). Common cases:
    1.1 <tag>$content</tag>
    1.2 <tag attr="$content" ..
    1.3 <tag attr='$content' ...
    1.4 <tag attr=$content ...
    1.5 other or unknown because of invalid html

2) Depending on where the reflection(s) occurred, check only the
characters required to break out of context (and potentially execute
scripts):
    1.1  < >
    1.2 "
    1.3 '
    1.4 whitespace
    1.5 <>'"

Patrick Donnely was interested in adding Lua LPeg a while back, perhaps
we can find import some good html parser implementation based on LPeg?
If we have that, I think it could be useful for a lot of other scripts
and also the spider, which could use it to tackle non trivial link
parsing such as the <base> tag and parsing forms.

Regards,
Martin
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]