Script http-cross-domain-policy
Script types:
portrule
Categories:
safe, external, vuln
Download: https://svn.nmap.org/nmap/scripts/http-cross-domain-policy.nse
Script Summary
Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.
The script queries instantdomainsearch.com to lookup the domains. This functionality is turned off by default, to enable it set the script argument http-cross-domain-policy.domain-lookup.
References:
- http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
- http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
- https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
- https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
- https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
- http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
Script Arguments
- http-cross-domain-policy.domain-lookup
Boolean to check domain availability. Default:false
- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
nmap --script http-cross-domain-policy <target>
nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>
Script Output
PORT STATE SERVICE REASON 8080/tcp open http-proxy syn-ack | http-cross-domain-policy: | VULNERABLE: | Cross-domain policy file (crossdomain.xml) | State: VULNERABLE | A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, | etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy | but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request | Forgery attacks, and may allow third parties to access sensitive data meant for the user. | Check results: | /crossdomain.xml: | <cross-domain-policy> | <allow-access-from domain="*.example.com"/> | <allow-access-from domain="*.exampleobjects.com"/> | <allow-access-from domain="*.example.co.in"/>' | </cross-domain-policy> | /clientaccesspolicy.xml: | <?xml version="1.0" encoding="utf8"?> | </accesspolicy> | <crossdomainaccess> | <policy> | <allowfrom httprequestheaders="SOAPAction"> | <domain uri="*"/> | <domain uri="*.example.me"/> | <domain uri="*.exampleobjects.me"/> | </allowfrom> | <granto> | <resource path="/" includesubpaths="true"/> | </granto> | </policy> | </crossdomainaccess> | </accesspolicy> | Extra information: | Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me | Use the script argument 'domain-lookup' to find trusted domains available for purchase | References: | http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html | http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html | https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29 | http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file | https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf |_ https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
Requires
Authors:
License: Same as Nmap--See https://nmap.org/book/man-legal.html