Script http-jsonp-detection

Script types: portrule
Categories: safe, vuln, discovery
Download: https://svn.nmap.org/nmap/scripts/http-jsonp-detection.nse

Script Summary

Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers.

The script searches for callback functions in the response to detect JSONP endpoints. It also tries to determine callback function through URL(callback function may be fully or partially controllable from URL) and also tries to bruteforce the most common callback variables through the URL.

References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/

Script Arguments

http-jsonp-detection.path

The URL path to request. The default path is "/".

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 80 --script http-jsonp-detection <target>

Script Output

80/tcp open  http    syn-ack
| http-jsonp-detection:
| The following JSONP endpoints were detected:
|_/rest/contactsjp.php  Completely controllable from URL

Requires

• nmap
• http
• shortport
• stdnse
• string
• json
• url
• httpspider
• table
• rand

---

Author:

• Vinamra Bhatia

License: Same as Nmap--See https://nmap.org/book/man-legal.html