source: trunk/plugins/nikto_apache_expect_xss.plugin @ 240

#VERSION,2.00
# $Id$
###############################################################################
#  Copyright (C) 2008 CIRT, Inc.
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; version 2
#  of the License only.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
###############################################################################
# PURPOSE:
# Test Apache's expect header XSS
###############################################################################
sub nikto_apache_expect_xss_init
{
   my $id =
   {
      name         => "apache_export_xss",
      full_name    => "Apache Expect XSS",
      author       => "Sullo",
      description  => "Checks whether the web servers has a cross-site scripting vulnerability through the Expect: HTTP header",
      scan_method  => \&nikto_apache_expect_xss,
      copyright    => "2008 CIRT Inc."
   };
   return $id;
}

sub nikto_apache_expect_xss
{
   my ($mark) = @_;
   my %headers=('Expect', '<script>alert(xss)</script>');
   (my $RES, $CONTENT) = nfetch($mark,"/", "GET", "", \%headers);

   if ($CONTENT =~ /<script>alert\(xss\)<\/script>/)
   {
      add_vulnerability($mark, "Apache is vulnerable to XSS via the Expect header", 999974, 27487);
   }
}

1;