Script types: portrule
Download: https://svn.nmap.org/nmap/scripts/http-cross-domain-policy.nse
Nmap Script指令摘要
檢查網頁應用中的跨域政策文件(/crossdomain.xml)和客戶端訪問政策文件(/clientaccesspolicy.xml),並列出受信任的域名。過於寬鬆的設置會啟用跨站點請求偽造攻擊,並可能允許攻擊者訪問敏感數據。
此腳本有助於檢測過於寬鬆的配置以及可能可供購買以利用應用的域名。
腳本查詢instantdomainsearch.com以查找域名。此功能默認關閉,要啟用它,請設置腳本參數http-cross-domain-policy.domain-lookup。
參考資料:
http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
Nmap Script指令參數
http-cross-domain-policy.domain-lookup用於檢查域名是否可用的布林值。預設值:false
slaxml.debug請參閱slaxml庫的文檔。
http.host、http.max-body-size、http.max-cache-size、http.max-pipeline、http.pipeline、http.truncated-ok、http.useragent請參閱http庫的文檔。
smbdomain、smbhash、smbnoguest、smbpassword、smbtype、smbusername請參閱smbauth庫的文檔。
vulns.short、vulns.showall請參閱vulns庫的文檔。
Nmap Script指令範例
nmap --script http-cross-domain-policy <target>
nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>Nmap Script指令輸出
PORT STATE SERVICE REASON8080/tcp open http-proxy syn-ack| http-cross-domain-policy:| VULNERABLE:| Cross-domain policy file (crossdomain.xml)| State: VULNERABLE| A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,| etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy| but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request| Forgery attacks, and may allow third parties to access sensitive data meant for the user.| Check results:| /crossdomain.xml:| <cross-domain-policy>| <allow-access-from domain="*.example.com"/>| <allow-access-from domain="*.exampleobjects.com"/>| <allow-access-from domain="*.example.co.in"/>'| </cross-domain-policy>| /clientaccesspolicy.xml:| <?xml version="1.0" encoding="utf8"?>| </accesspolicy>| <crossdomainaccess>| <policy>| <allowfrom httprequestheaders="SOAPAction">| <domain uri="*"/>| <domain uri="*.example.me"/>| <domain uri="*.exampleobjects.me"/>| </allowfrom>| <granto>| <resource path="/" includesubpaths="true"/>| </granto>| </policy>| </crossdomainaccess>| </accesspolicy>| Extra information:| Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me| Use the script argument 'domain-lookup' to find trusted domains available for purchase| References:| https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdfNmap Script作者
Seth Art <sethsec()gmail> Paulino Calderon <calderon()websec.mx> Gyanendra Mishra
License: Same as Nmap--See https://nmap.org/book/man-legal.html
