Full Disclosure – Nessus Website Vulnerable to XSS

Posted by admin on Aug 11, 2010 in Full Disclosure, Month of Full Disclosure, WebAppSec, XSS |
Subscribe
The Test Manager Nessus XSS

The Test Manager Nessus Cross Site Scripting Error

Nessus is a product owned now by Tenable Network Security.

I had originally decided to do a month of Security Site Bugs as most security sites have a higher level of site protection and also they are more of a challenge for a researcher / tester to find bugs on, and lets face it a lot of us  do this for the challenge.

Due to the nature of the security business their sites are usually locked down fairly tight.

However you can still a good few issues here and there.

It would also seem that security sites are just as susceptible to code injections and other types of low hanging fruit.

and with that I give you

Tenable Network Security / Nessus – All your Base are Belong to Us.

Nessus All Your Base

Tenable / Nessus All Your Base

Bug Details as follows

Well the security isn’t that bad here, they do block a lot of tags, So this means No Script Tags , No Href tags, No Iframe or Frame Tags, No Img Tags,

So I had to get a little creative and hence you have the popular meme of “all your base”

this is done by firstly a Heading Tag which is not blocked and then I’m allowed to use Div Tags and Object Tags, oh year and I’m also allowed to close the TextArea Tag.

Once I worked out what I could use I put it all together see below for the injection.

</TEXTAREA><div><h1>The Test Manager Month Of Security Site Bugs</h1><object width=”480″ height=”385″><param name=”movie” value=”http://www.youtube.com/v/8fvTxv46ano&amp;hl=en_GB&amp;fs=1″></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”http://www.youtube.com/v/8fvTxv46ano&amp;hl=en_GB&amp;fs=1″ type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object></div>

Now this is just a bit of fun rather than a fully exploitable bug.  The reason is that I could not get it to work from the URL.

To get the XSS to work you firstly need to have an item in your shopping cart and then checkout.

Then once your on the

https://products.nessus.org/one-page-checkout.asp page

there is a payment information box. Just put your code into that box and checkout. No need to fill in the rest of the form boxes the injection works when the form reloads.

Enjoy.

Martin H

The Test Manager.

Reply

Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.