File http-phpself-xss
User Summary
Crawls a web server and attempts to find PHP files vulnerable to reflected
cross site scripting via the variable $_SERVER["PHP_SELF"].
This script crawls the webserver to create a list of PHP files and then sends
an attack vector/probe to identify PHP_SELF cross site scripting
vulnerabilities. PHP_SELF XSS refers to reflected cross site scripting
vulnerabilities caused by the lack of sanitation of the variable
$_SERVER["PHP_SELF"] in PHP scripts. This variable is commonly
used in PHP scripts that display forms and when the script file name is
needed.
Examples of Cross Site Scripting vulnerabilities in the variable $_SERVER[PHP_SELF]:
The attack vector/probe used is: /'"/>
See also:
Script Arguments
http-phpself-xss.timeout
Spidering timeout. (default 10s)
http-phpself-xss.uri
URI. Default: /
httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost
See the documentation for the httpspider library.
vulns.short, vulns.showall
See the documentation for the vulns library.
slaxml.debug
See the documentation for the slaxml library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
Example Usage
nmap --script=http-phpself-xss -p80
nmap -sV --script http-self-xss
Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-phpself-xss:
| VULNERABLE:
| Unsafe use of $_SERVER["PHP_SELF"] in PHP files
| State: VULNERABLE (Exploitable)
| Description:
| PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.
|
| Extra information:
|
| Vulnerable files with proof of concept:
| http://calder0n.com/sillyapp/three.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
| http://calder0n.com/sillyapp/secret/2.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
| http://calder0n.com/sillyapp/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
| http://calder0n.com/sillyapp/secret/1.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=calder0n.com
| References:
| https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|_ http://php.net/manual/en/reserved.variables.server.php
Requires
Author:Paulino Calderon
action
action (host, port)
main
Parameters
host:
port: