Script http-unsafe-output-escaping

Script types: portrule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-unsafe-output-escaping.nse

Script Summary

Spiders a website and attempts to identify output escaping problems where content is reflected back to the user. This script locates all parameters, ?x=foo&y=bar and checks if the values are reflected on the page. If they are indeed reflected, the script will try to insert ghz>hzx"zxc'xcv and check which (if any) characters were reflected back onto the page without proper html escaping. This is an indication of potential XSS vulnerability.

See also:

• http-dombased-xss.nse
• http-stored-xss.nse
• http-phpself-xss.nse
• http-xssed.nse

Script Arguments

http-unsafe-output-escaping.withinhost

only spider URLs within the same host. (default: true)

http-unsafe-output-escaping.url

the url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)

http-unsafe-output-escaping.maxdepth

the maximum amount of directories beneath the initial url to spider. A negative value disables the limit. (default: 3)

http-unsafe-output-escaping.withindomain

only spider URLs within the same domain. This widens the scope from withinhost and can not be used in combination. (default: false)

http-unsafe-output-escaping.maxpagecount

the maximum amount of pages to visit. A negative value disables the limit (default: 20)

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap --script=http-unsafe-output-escaping <target>

Script Output

PORT   STATE SERVICE REASON
| http-unsafe-output-escaping:
|   Characters [> " '] reflected in parameter kalle at http://foobar.gazonk.se/xss.php?foo=bar&kalle=john
|_  Characters [> " '] reflected in parameter foo at http://foobar.gazonk.se/xss.php?foo=bar&kalle=john

Requires

• http
• httpspider
• shortport
• stdnse
• table
• url

---

Author:

• Martin Holst Swende

License: Same as Nmap--See https://nmap.org/book/man-legal.html