Categories: safe, vuln, discovery
Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers.
The script searches for callback functions in the response to detect JSONP endpoints. It also tries to determine callback function through URL(callback function may be fully or partially controllable from URL) and also tries to bruteforce the most common callback variables through the URL.
References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
The URL path to request. The default path is "/".
See the documentation for the slaxml library.
- httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost
See the documentation for the httpspider library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
nmap -p 80 --script http-jsonp-detection <target>
80/tcp open http syn-ack | http-jsonp-detection: | The following JSONP endpoints were detected: |_/rest/contactsjp.php Completely controllable from URL
License: Same as Nmap--See https://nmap.org/book/man-legal.html