diff --git a/scripts/http-jsonp-detection.nse b/scripts/http-jsonp-detection.nse
index b62ee2959..d390a290c 100755
--- a/scripts/http-jsonp-detection.nse
+++ b/scripts/http-jsonp-detection.nse
@@ -1,3 +1,4 @@
+local nmap = require "nmap"
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
@@ -12,8 +13,8 @@ Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be
used to bypass Same-origin Policy restrictions in web browsers.
The script searches for callback functions in the response to detect JSONP
-endpoints. It also tries to determine callback function through URL(callback
-function may be fully or partially controllable from URL) and also tries to
+endpoints. It also tries to determine callback function through URL(callback
+function may be fully or partially controllable from URL) and also tries to
bruteforce the most common callback variables through the URL.
References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
@@ -26,18 +27,18 @@ References : https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
--
-- @output
-- 80/tcp open http syn-ack
--- | http-jsonp-detection:
--- | The following JSONP endpoints were detected:
+-- | http-jsonp-detection:
+-- | The following JSONP endpoints were detected:
-- |_/rest/contactsjp.php Completely controllable from URL
---
+--
--
-- @xmloutput
--
-- /rest/contactsjp.php
--
---
+--
-- @args http-jsonp-detection.path The URL path to request. The default path is "/".
----
+---
author = {"Vinamra Bhatia"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
@@ -49,10 +50,9 @@ local callbacks = {"callback", "cb", "jsonp", "jsonpcallback", "jcb", "call"}
--Checks the body and returns if valid json data is present in callback function
local checkjson = function(body)
-
- local func, json_data
- _, _, _, func, json_data = string.find(body, "^(%S-)([%w_]+)%((.*)%);?$")
-
+
+ local _, _, _, func, json_data = string.find(body, "^(%S-)([%w_]+)%((.*)%);?$")
+
--Check if the json_data is valid
--If valid, we have a JSONP endpoint with func as the function name
@@ -80,7 +80,7 @@ local callback_url = function(host, port, target, callback_variable)
report = "Completely controllable from URL"
else
local p = string.find(func, value)
- if p then
+ if p then
report = "Partially controllable from URL"
end
end
@@ -92,18 +92,18 @@ end
--The function tries to bruteforce through the most common callback variable
local callback_bruteforce = function(host, port, target)
local response, path, report
- for _,p in ipairs(callbacks) do
+ for _,p in ipairs(callbacks) do
path = target
path = path .. "?" .. p .. "=test"
response = http.get(host, port, path)
- if response and response.body and response.status and response.status==200 then
+ if response and response.body and response.status and response.status==200 then
local status, func
status, func = checkjson(response.body)
- if status == true then
+ if status == true then
report = callback_url(host, port, target, p)
- if report ~= nil then
+ if report ~= nil then
report = string.format("%s\t%s", target, report)
else
report = target
@@ -111,16 +111,16 @@ local callback_bruteforce = function(host, port, target)
break
end
end
- end
+ end
return report
-end
+end
action = function(host, port)
local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
local output_xml = stdnse.output_table()
output_xml = {}
output_xml['jsonp-endpoints'] = {}
- local output_str = "\nThe following JSONP endpoints were detected: "
+ local output_str = "\nThe following JSONP endpoints were detected: "
-- crawl to find jsonp endpoints urls
local crawler = httpspider.Crawler:new(host, port, path, {scriptname = SCRIPT_NAME})
@@ -136,7 +136,7 @@ action = function(host, port)
if (not(status)) then
if (r.err) then
return stdnse.format_output(false, r.reason)
- else
+ else
break
end
end
@@ -145,7 +145,7 @@ action = function(host, port)
target = url.parse(target)
target = target.path
- -- First we try to get the response and look for jsonp endpoint there
+ -- First we try to get the response and look for jsonp endpoint there
if r.response and r.response.body and r.response.status and r.response.status==200 then
local status, func, report
@@ -154,16 +154,16 @@ action = function(host, port)
if status == true then
--We have found JSONP endpoint
--Put it inside a returnable table.
- output_str = string.format("%s\n%s", output_str, target)
+ output_str = string.format("%s\n%s", output_str, target)
table.insert(output_xml['jsonp-endpoints'], target)
- --Try if the callback function is controllable from URL.
- report = callback_url(host, port, target)
+ --Try if the callback function is controllable from URL.
+ report = callback_url(host, port, target)
if report ~= nil then
output_str = string.format("%s\t%s", output_str, report)
end
- else
+ else
--Try to bruteforce through most comman callback URLs
report = callback_bruteforce(host, port, target)
@@ -171,14 +171,14 @@ action = function(host, port)
table.insert(output_xml['jsonp-endpoints'], target)
output_str = string.format("%s\n%s", output_str, report)
end
- end
+ end
- end
+ end
end
- --A way to print returnable
- if next(output_xml['jsonp-endpoints']) then
+ --A way to print returnable
+ if next(output_xml['jsonp-endpoints']) then
return output_xml, output_str
else
if nmap.verbosity() > 1 then
@@ -186,4 +186,4 @@ action = function(host, port)
end
end
-end
\ No newline at end of file
+end
diff --git a/scripts/puppet-naivesigning.nse b/scripts/puppet-naivesigning.nse
index f6a727291..f8736367d 100644
--- a/scripts/puppet-naivesigning.nse
+++ b/scripts/puppet-naivesigning.nse
@@ -1,5 +1,6 @@
local shortport = require "shortport"
local stdnse = require "stdnse"
+local string = require "string"
local http = require "http"
local table = require "table"
local io = require "io"