[nexpose-users] Writing Vulnerability Checks Document

Chad Loder Chad_Loder at rapid7.com
Mon Mar 22 09:27:11 PDT 2010 

Hi Mark.

This sounds like it should be fairly easy to accomplish via an HTTP POST request with form
encoding.  See the example below.  Note the use of the XML CDATA construct to surround
the POSTed values which contain ampersand - ampersand is a special character in XML.

I've assumed in the example below that the login form ACTION is set to /cgi-bin/login.cgi.
You will need to change this for your particular application.

I'm assuming that the login form, when successful, returns an HTTP 302 response and sets
the location header to something matching the string "home.html".  If you're not sure,
you can always use the Firefox LiveHTTPHeaders plugin while you log in via your browser.


<VulnerabilityCheck id="cmty-my-custom-web-interface-default-password" scope="endpoint">
   <NetworkService type="HTTP|HTTPS">
      <Product name="Apache"/>
   </NetworkService>
   <HTTPCheck>
      <HTTPRequest method="POST">
         <URI>/cgi-bin/login.cgi</URI>
         <mimeContent type="application/x-www-form-urlencoded">
         <value>
            <![CDATA[user=admin&password=password&hiddenField=hiddenValue&submit=login</value>]]>
         </value>
         </mimeContent>
      </HTTPRequest>
      <HTTPResponse code="302">
            <HTTPHeader name="Location"><regex>home\.html</regex></HTTPHeader>
      </HTTPResponse>
   </HTTPCheck>
</VulnerabilityCheck>

Does this make sense? Let us know how it works for you.

Thanks,
                Chad Loder

From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-bounces at lists.rapid7.com] On Behalf Of Mark Manning
Sent: Monday, March 22, 2010 8:11 AM
To: nexpose-users at lists.rapid7.com
Subject: [nexpose-users] Writing Vulnerability Checks Document

Hey guys,

I'm new to the list and just starting to dig deeper into Nexpose.  The wiki's been helpful for giving examples of writing your own vulnerability checks but I was wondering if there was some complete documentation somewhere.

One check I wanted to write was for a web interface that was using a default password.  Basically it's a POST to an HTTP page with a user=admin&password=password type thing.  If it logs in, you are redirected to home.html if not, you're reverted back to the login screen. Does that seem possible?

--Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/nexpose-users/attachments/20100322/92577765/attachment.html>

More information about the nexpose-users mailing list