Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-dombased-xss.nse
From: David Fifield <david () bamsoftware com>
Date: Wed, 7 Aug 2013 16:29:56 -0700

On Fri, Jul 26, 2013 at 04:22:02AM +0300, George Chatzisofroniou wrote:
The attached script tries to detect DOM-based XSS by using some patterns.
DOM-based XSS occur in client-side JavaScript so this script basically greps
every page for common traces. You can read more about DOM-based XSS here [1].

The script, by default, will crawl the target website. Otherwise, you can limit
the pages to grep with the singlepages option.

Here's an example of usage:

./nmap -p80 -n -Pn --script http-dombased-xss.nse --script-args 'http-dombased-xss.singlepages={/foo}' 
some-very-random-page.com -d1

The output looks like this:

 PORT   STATE SERVICE REASON
 80/tcp open  http    syn-ack
 | http-dombased-xss: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-random-page.com
 |   Found the following indications of potential DOM based XSS: 
 |     
 |     Source: document.write(document.URL.substring(pos,document.URL.length)
 |     Pages: http://some-very-random-page.com:80/, http://some-very-random-page.com/foo.html
 |     
 |     Source: document.write("<OPTION 
value=1>"+document.location.href.substring(document.location.href.indexOf("default=")
 |_    Pages: http://some-very-random-page.com/foo.html

Please note, that the script may generate some false positives. Don't take
everything in the output as a vulnerability, if you don't review it first.

Any comments are welcome,

The script seems pretty clear to me. I think it could use some more
references and a fuller description of what the script is doing in the
description. It looks for places where attacker-controlled information
in the DOM may be used to affect JavaScript execution in certain ways.

This link appears to have some additional patterns to check for:
https://code.google.com/p/domxsswiki/wiki/LocationSources

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]