Script http-cross-domain-policy

Script types: portrule
Categories: safe, external, vuln
Download: https://svn.nmap.org/nmap/scripts/http-cross-domain-policy.nse

Script Summary

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

The script queries instantdomainsearch.com to lookup the domains. This functionality is turned off by default, to enable it set the script argument http-cross-domain-policy.domain-lookup.

References:

Script Arguments

http-cross-domain-policy.domain-lookup

Boolean to check domain availability. Default:false

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

  • nmap --script http-cross-domain-policy <target>
  • nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>
    

Script Output

PORT   STATE SERVICE REASON
8080/tcp open  http-proxy syn-ack
| http-cross-domain-policy:
|   VULNERABLE:
|   Cross-domain policy file (crossdomain.xml)
|     State: VULNERABLE
|       A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,
|       etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy
|       but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request
|       Forgery attacks, and may allow third parties to access sensitive data meant for the user.
|     Check results:
|       /crossdomain.xml:
|         <cross-domain-policy>
|         <allow-access-from domain="*.example.com"/>
|         <allow-access-from domain="*.exampleobjects.com"/>
|         <allow-access-from domain="*.example.co.in"/>'
|         </cross-domain-policy>
|       /clientaccesspolicy.xml:
|         <?xml version="1.0" encoding="utf8"?>
|         </accesspolicy>
|           <crossdomainaccess>
|             <policy>
|               <allowfrom httprequestheaders="SOAPAction">
|                 <domain uri="*"/>
|                 <domain uri="*.example.me"/>
|                 <domain uri="*.exampleobjects.me"/>
|               </allowfrom>
|               <granto>
|                 <resource path="/" includesubpaths="true"/>
|               </granto>
|             </policy>
|           </crossdomainaccess>
|         </accesspolicy>
|     Extra information:
|       Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me
|   Use the script argument 'domain-lookup' to find trusted domains available for purchase
|     References:
|       http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
|       http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
|       https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
|       http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
|       https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
|_      https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

Requires


Authors:

  • Seth Art <sethsec()gmail>
  • Paulino Calderon <calderon()websec.mx>
  • Gyanendra Mishra

License: Same as Nmap--See https://nmap.org/book/man-legal.html