Script http-dombased-xss

Script types: portrule
Categories: intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/http-dombased-xss.nse

Script Summary

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: http://www.webappsec.org/projects/articles/071105.shtml

See also:

• http-stored-xss.nse
• http-phpself-xss.nse
• http-xssed.nse
• http-unsafe-output-escaping.nse

Script Arguments

http-dombased-xss.singlepages

The pages to test. For example, {/index.php, /profile.php}. Default: nil (crawler mode on)

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script http-dombased-xss.nse <target>

DOM-based XSS occur in client-side JavaScript and this script tries to detect
them by using some patterns. Please note, that the script may generate some
false positives. Don't take everything in the output as a vulnerability, if
you don't review it first.

Most of the patterns used to determine the vulnerable code have been taken
from this page: https://code.google.com/p/domxsswiki/wiki/LocationSources

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-random-page.com
|   Found the following indications of potential DOM based XSS:
|
|     Source: document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")
|     Pages: http://some-very-random-page.com:80/, http://some-very-random-page.com/foo.html
|
|     Source: document.write(document.URL.substring(pos,document.URL.length)
|_    Pages: http://some-very-random-page.com/foo.html

Requires

• http
• shortport
• stdnse
• table
• string
• httpspider

---

Author:

• George Chatzisofroniou

License: Same as Nmap--See https://nmap.org/book/man-legal.html