Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE for checking crossdomain.xml

From: Paulino Calderon Pale <paulino () calderonpale com>
Date: Wed, 8 Apr 2015 11:05:10 -0500
Hi,

I’ve committed in r34406 an updated version of this script which fixes an issue with the web service, adds structured 
output, removes unnecessary code by using stones and fixes a couple of bugs related to tld handling. 

Thank you Seth for your submission. It took us some time but we finally got it included! This script certainly adds a 
necessary check needed while testing RIA applications. 

http-crossdomainxml:
https://svn.nmap.org/nmap/scripts/http-crossdomainxml.nse <https://svn.nmap.org/nmap/scripts/http-crossdomainxml.nse>

Cheers.


On Sep 29, 2014, at 10:47 PM, Seth Art <sethsec () gmail com> wrote:

List,

I've created a NSE script that looks for the existence of
crossdomain.xml files and will provide the user with the following
information:

1) If a wildcard exists, it will alert the user.

2) If specific domains are trusted by the crossdomain.xml, it will
tell the user that there could still be risk, and it will give the
user a comma delimited list of domains that are trusted, and encourage
the user to check the availability of the trusted domains.

You can see this better in the sample output in the NSE.
https://github.com/sethsec/crossdomain-exploitation-framework/blob/master/http-crossdomain.nse


For more information on what this script does, skip to the 20th minute
of my DerbyCon talk from this weekend:
https://www.youtube.com/watch?v=v_5dTJYjSMA&list=UU4PBNDLlS4d75MP0xxcukGA

Like Mariusz who just posted a few hours ago, this is also my first
NSE, and I'm completely open to feedback or guidance.

For those that are wondering, the reason I did not go with an version
that automatically does the lookup, is that I could not find a domain
availability lookup source that allows access to an API without an API
key.   If anyone has a way to check domain availability that is
completely open and in line with the terms of service, I'd be very
interested to automate that portion of this script.

Regards,

Seth Art
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: