Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

File http-stored-xss

Script types: portrule
Categories: intrusive, exploit, vuln
Download: http://nmap.org/svn/scripts/http-stored-xss.nse

User Summary

Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.

Script Arguments

http-stored-xss.formpaths

The pages that contain the forms to exploit. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)

http-stored-xss.uploadspaths

The pages that reflect back POSTed data. For example, {/comments.php, /guestbook.php}. Default: nil (Crawler mode on)

http-stored-xss.fieldvalues

The script will try to fill every field found in the form but that may fail due to fields' restrictions. You can manually fill those fields using this table. For example, {gender = "male", email = "foo@bar.com"}. Default: {}

http-stored-xss.dbfile

The path of a plain text file that contains one XSS vector per line. Default: nil

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script http-stored-xss.nse <target>

This script works in two phases.
1) Posts specially crafted strings to every form it encounters.
2) Crawls through the page searching for these strings.

If any string is reflected on some page without any proper
HTML escaping, it's a sign for potential XSS vulnerability.

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-stored-xss:
|   Found the following stored XSS vulnerabilities:
|
|      Payload: ghz>hzx
|    Uploaded on: /guestbook.php
|    Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
|      Payload: zxc'xcv
|    Uploaded on: /guestbook.php
|    Description: Unfiltered ' (apostrophe). An indication of potential XSS vulnerability.
|
|      Payload: ghz>hzx
|    Uploaded on: /posts.php
|    Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
|      Payload: hzx"zxc
|    Uploaded on: /posts.php
|_   Description: Unfiltered " (double quotation mark). An indication of potential XSS vulnerability.



Requires


Author: George Chatzisofroniou

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]