Script http-phpself-xss

Script types: portrule
Categories: fuzzer, intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-phpself-xss.nse

Script Summary

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"].

This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHP_SELF cross site scripting vulnerabilities. PHP_SELF XSS refers to reflected cross site scripting vulnerabilities caused by the lack of sanitation of the variable $_SERVER["PHP_SELF"] in PHP scripts. This variable is commonly used in PHP scripts that display forms and when the script file name is needed.

Examples of Cross Site Scripting vulnerabilities in the variable $_SERVER[PHP_SELF]:

• http://www.securityfocus.com/bid/37351
• http://software-security.sans.org/blog/2011/05/02/spot-vuln-percentage
• http://websec.ca/advisories/view/xss-vulnerabilities-mantisbt-1.2.x

The attack vector/probe used is: /'"/><script>alert(1)</script>

See also:

• http-stored-xss.nse
• http-dombased-xss.nse
• http-xssed.nse

Script Arguments

http-phpself-xss.timeout

Spidering timeout. (default 10s)

http-phpself-xss.uri

URI. Default: /

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

vulns.short, vulns.showall

See the documentation for the vulns library.

slaxml.debug

See the documentation for the slaxml library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap --script=http-phpself-xss -p80 <target>
nmap -sV --script http-self-xss <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-phpself-xss:
|   VULNERABLE:
|   Unsafe use of $_SERVER["PHP_SELF"] in PHP files
|     State: VULNERABLE (Exploitable)
|     Description:
|       PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.
|
|     Extra information:
|
|   Vulnerable files with proof of concept:
|     http://calder0n.com/sillyapp/three.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
|     http://calder0n.com/sillyapp/secret/2.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
|     http://calder0n.com/sillyapp/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
|     http://calder0n.com/sillyapp/secret/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
|   Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=calder0n.com
|     References:
|       https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|_      http://php.net/manual/en/reserved.variables.server.php

Requires

• http
• httpspider
• shortport
• url
• stdnse
• vulns
• string
• table

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

main

Parameters

host

 

port