指令摘要
檢查 Web 應用程序中的跨網域政策檔案(通常是/crossdomain.xml)和客戶端存取政策檔案(通常是/clientaccesspolicy.xml),這些政策檔案包含了哪些網域被允許或信任可以存取該應用程序的資源;過於寬鬆的設定可能會導致跨站請求偽造(Cross Site Request Forgery)攻擊的發生,並可能允許攻擊者存取敏感資料;這個指令也會列出可能可供購買的網域,這些網域可以被攻擊者購買,然後用於利用應用程序的漏洞。
這個指令會使用 instantdomainsearch.com 進行網域查詢,預設情況下,這個功能是關閉的,如果要啟用它,需要設定指令參數 http-cross-domain-policy.domain-lookup。
參考資料:
http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
指令參數
http-cross-domain-policy.domain-lookup
檢查網域是否可用的布林值,預設值為:false,如果設為 true,則會檢查網域的可用性。
slaxml.debug
請參閱slaxml 函式庫了解詳細資訊。
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
請參閱http 函式庫了解詳細資訊。
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
請參閱smbauth 函式庫了解詳細資訊。
vulns.short, vulns.showall
請參閱vulns 函式庫了解詳細資訊。
指令範例
nmap --script http-cross-domain-policy <target>
nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>
指令輸出
PORT STATE SERVICE REASON
8080/tcp open http-proxy syn-ack
| http-cross-domain-policy:
| VULNERABLE:
| Cross-domain policy file (crossdomain.xml)
| State: VULNERABLE
| A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,
| etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy
| but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request
| Forgery attacks, and may allow third parties to access sensitive data meant for the user.
| Check results:
| /crossdomain.xml:
| <cross-domain-policy>
| <allow-access-from domain="*.example.com"/>
| <allow-access-from domain="*.exampleobjects.com"/>
| <allow-access-from domain="*.example.co.in"/>'
| </cross-domain-policy>
| /clientaccesspolicy.xml:
| <?xml version="1.0" encoding="utf8"?>
| </accesspolicy>
| <crossdomainaccess>
| <policy>
| <allowfrom httprequestheaders="SOAPAction">
| <domain uri="*"/>
| <domain uri="*.example.me"/>
| <domain uri="*.exampleobjects.me"/>
| </allowfrom>
| <granto>
| <resource path="/" includesubpaths="true"/>
| </granto>
| </policy>
| </crossdomainaccess>
| </accesspolicy>
| Extra information:
| Trusted domains:example.com, exampleobjects.com, example.co.in, *, example.me, exampleobjects.me
| Use the script argument 'domain-lookup' to find trusted domains available for purchase
| References:
| http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
| https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
| http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
| https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
|_ https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
作者:
Seth Art、Paulino Calderon、Gyanendra Mishra
License: Same as Nmap--See https://nmap.org/book/man-legal.html
隨選即看研討會
延伸閱讀
NetAlly 滲透測試及網路測試總覽 > CyberScope Nmap 滲透測試手持式網路分析儀,整合了 Nmap 功能,為站點存取層提供全面的網路安全風險評估、分析、和報告——包括所有的端點和網路探索、有線與無線網路安全、漏洞評估 (Nmap) 以及網段和配置驗證;IT 人員透過單一工具以及單一介面,即可快速且即時的掌握企業或組織的各種混合式網路環境 (有線、無線、PoE)、各種連網終端裝置的拓樸、架構、設定、網段、效能、直到網路安全評估。
Comments