Script http-stored-xss

Script types: portrule
Categories: intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/http-stored-xss.nse

Script Summary

Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.

See also:

• http-dombased-xss.nse
• http-phpself-xss.nse
• http-xssed.nse
• http-unsafe-output-escaping.nse

Script Arguments

http-stored-xss.formpaths

The pages that contain the forms to exploit. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)

http-stored-xss.uploadspaths

The pages that reflect back POSTed data. For example, {/comments.php, /guestbook.php}. Default: nil (Crawler mode on)

http-stored-xss.fieldvalues

The script will try to fill every field found in the form but that may fail due to fields' restrictions. You can manually fill those fields using this table. For example, {gender = "male", email = "foo@bar.com"}. Default: {}

http-stored-xss.dbfile

The path of a plain text file that contains one XSS vector per line. Default: nil

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -p80 --script http-stored-xss.nse <target>

This script works in two phases.
1) Posts specially crafted strings to every form it encounters.
2) Crawls through the page searching for these strings.

If any string is reflected on some page without any proper
HTML escaping, it's a sign for potential XSS vulnerability.

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-stored-xss:
|   Found the following stored XSS vulnerabilities:
|
|      Payload: ghz>hzx
|    Uploaded on: /guestbook.php
|    Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
|      Payload: zxc'xcv
|    Uploaded on: /guestbook.php
|    Description: Unfiltered ' (apostrophe). An indication of potential XSS vulnerability.
|
|      Payload: ghz>hzx
|    Uploaded on: /posts.php
|    Description: Unfiltered '>' (greater than sign). An indication of potential XSS vulnerability.
|      Payload: hzx"zxc
|    Uploaded on: /posts.php
|_   Description: Unfiltered " (double quotation mark). An indication of potential XSS vulnerability.

Requires

• http
• io
• string
• httpspider
• shortport
• stdnse
• table

---

Author:

• George Chatzisofroniou

License: Same as Nmap--See https://nmap.org/book/man-legal.html