Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] http-stored-xss.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Sat, 29 Jun 2013 22:15:15 +0300

The attached script will identify any stored XSS vulnerabilities. Stored (or
persistent) XSS occur when the data provided by the attacker is saved by the
server, and then permanently displayed on pages returned to other users in the
course of regular browsing, without proper HTML escaping.

To identify these vulnerabilities, the script will POST specially crafted
strings to every form it encounters and then it will search through the website
for those strings to check if the payloads were succesful.

To make this work i had to do another change in httpspider library. I had to
turn off http caching while crawling. I don't know why there wasn't a parameter
for this before. So, you also need to apply the attached patch to make this work

The script will, by default, crawl the target website two times. First, to find
any forms and POST the malicious strings and a second one to search for the
strings it previously POSTed. You can save some time by passing the single pages
you are interested using the formpaths and uploadpaths arguments.

There is also an option called fieldvalues to bypass form's restrictions by
manually setting its fields.

Finally, there is an option to use your own XSS vectors. Simply, write them in a
file and pass its path to the filedb argument.

The output looks like this:

 80/tcp open  http    syn-ack
 | http-stored-xss: 
 |   Found the following stored XSS vulnerabilities: 
 |      Payload: ghz>hzx
 |    Uploaded on: /guestbook.php
 |    Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
 |      Payload: zxc'xcv
 |    Uploaded on: /guestbook.php
 |    Description: Unfiltered ' (apostrophe). An indication of potential XSS vulnerability.
 |      Payload: ghz>hzx
 |    Uploaded on: /posts.php
 |    Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
 |      Payload: hzx"zxc
 |    Uploaded on: /posts.php
 |_   Description: Unfiltered " (double quotation mark). An indication of potential XSS vulnerability.

While this is our third XSS script, there could still be some improvements in
the XSS area of NSE. For example, we still lack of a DOM-based XSS script.
DOM-based XSS is the third category of XSS, after the reflected XSS (which is
covered by unsafe-output-escaping.nse) and stored XSS (which is covered by this
script). Also, it would be great if Nmap holded a database of XSS vectors (we
could borrow XSSer's [1]), so it can output a more descriptive output about the
possible XSS that can be executed in the target. I'm writing these down so we
can have them in mind.

[1]: https://n-1.cc/pages/view/16105/

George Chatzisofroniou

Attachment: added_caching_option_httpspider.diff

Attachment: http-stored-xss.nse

Attachment: signature.asc
Description: Digital signature

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
  • [NSE] http-stored-xss.nse George Chatzisofroniou (Jun 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]