Nmap Script指令摘要
檢查 Web 應用程序中的跨網域政策檔案(通常是/crossdomain.xml)和客戶端存取政策檔案(通常是/clientaccesspolicy.xml),這些政策檔案包含了哪些網域被允許或信任可以存取該應用程序的資源;過於寬鬆的設定可能會導致跨站請求偽造(Cross Site Request Forgery)攻擊的發生,並可能允許攻擊者存取敏感資料;這個指令也會列出可能可供購買的網域,這些網域可以被攻擊者購買,然後用於利用應用程序的漏洞。
這個指令會使用 instantdomainsearch.com 進行網域查詢,預設情況下,這個功能是關閉的,如果要啟用它,需要設定指令參數 http-cross-domain-policy.domain-lookup。
參考資料:
http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
Nmap Script指令參數
http-cross-domain-policy.domain-lookup檢查網域是否可用的布林值,預設值為:false,如果設為 true,則會檢查網域的可用性。
slaxml.debug請參閱slaxml 函式庫了解詳細資訊。
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent請參閱http 函式庫了解詳細資訊。
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername請參閱smbauth 函式庫了解詳細資訊。
vulns.short, vulns.showall請參閱vulns 函式庫了解詳細資訊。
Nmap Script指令範例
nmap --script http-cross-domain-policy <target>nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>Nmap Script指令輸出
PORT STATE SERVICE REASON
8080/tcp open http-proxy syn-ack
| http-cross-domain-policy:
| VULNERABLE:
| Cross-domain policy file (crossdomain.xml)
| State: VULNERABLE
| A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,
| etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy
| but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request
| Forgery attacks, and may allow third parties to access sensitive data meant for the user.
| Check results:
| /crossdomain.xml:
| <cross-domain-policy>
| <allow-access-from domain="*.example.com"/>
| <allow-access-from domain="*.exampleobjects.com"/>
| <allow-access-from domain="*.example.co.in"/>'
| </cross-domain-policy>
| /clientaccesspolicy.xml:
| <?xml version="1.0" encoding="utf8"?>
| </accesspolicy>
| <crossdomainaccess>
| <policy>
| <allowfrom httprequestheaders="SOAPAction">
| <domain uri="*"/>
| <domain uri="*.example.me"/>
| <domain uri="*.exampleobjects.me"/>
| </allowfrom>
| <granto>
| <resource path="/" includesubpaths="true"/>
| </granto>
| </policy>
| </crossdomainaccess>
| </accesspolicy>
| Extra information:
| Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me
| Use the script argument 'domain-lookup' to find trusted domains available for purchase
| References:
| http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
| https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
| http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
| https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
|_ https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.htmlNmap Script作者:
Seth Art、Paulino Calderon、Gyanendra Mishra
License: Same as Nmap--See https://nmap.org/book/man-legal.html
