TABLE OF CONTENTS One of the best ways to learn how to write and design NASL scripts is to learn by example and to analyze the code behind well-written scripts. In this section, we analyze a couple of scripts by first analyzing the vulnerability itself and then examining the NASL implementation of the vulnerability check. In doing so, we will gain a better understanding of both the NASL language syntax and how it is used in the real world.
The first vulnerability that we will examine is one in Microsoft's IIS Servers 4.0 and 5.0. The IIS Web server exposes an interface called the Internet Server Application Programming Interface (ISAPI) that allows programmers to develop customized and tightly integrated applications for IIS Server. One feature of the ISAPI interface is the ability to write libraries to handle particular types of file extensions in our particular case, the included ISM.DLL. This .DLL extension happens to handle the .HTR file extension, but a maliciously crafted URL can cause a denial of service in IIS 4 or arbitrary code execution in IIS 5.0 and 5.1. For more information about the vulnerability, refer to www.osvdb.org/displayvuln.php?osvdb_id=3325.
For this particular vulnerability, the overall logic of the check is as follows:
Provide detailed author, credit, and revision history.
Build the description information.
Identify any IIS Web servers.
Attempt to access a nonexistent file with the .HTR extension.
Based on the response of the Web server, issue a security alert.
