Nmap Development mailing list archives

Port specification in the location data returned from http-headers and html-title.nse

From: Tom Sellers <nmap () fadedcode net>
Date: Thu, 15 Oct 2009 17:56:41 -0500

This email is a combination of a request for comments as well as a reminder for myself.

Some time ago I noticed that the html-title.nse script did not return the proper
value for location when it was run against a web server running on a port other than
80.

For example:

nmap -sV --script=html-title.nse -p 8080 www.someserver.com

would return this

8080/tcp open http Apache httpd 2.0.46 ((Red Hat))
| html-title: My Site
|_ Requested resource was http://www.someserver.com/

That last line should actually be

|_ Requested resource was http://www.someserver.com:8080/

I noticed this due to a service I was seeing on a regular basis that redirects
via a HTTP 302 to a subdirectory on the same host and port.

Digging around a bit I see what I think is the cause in http.lau at the following lines in
the "buildGet" function:

header = {
--> Host = get_hostname(host),
["User-Agent"] = "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
}

This syntax also shows up in a couple other, similar functions such as buildHead and
buildPost.

When building the headers to send the hostname is set, but the port number is not on it.
The value of the Host: header is returned as part of the Location server header.
The result trickles down in the Location values of a couple scripts like html-title.nse
and http-headers.nse.

I did some preliminary testing and found that changing the line to

Host = get_hostname(host) .. port.number,

corrected the problem without breaking anything.

If I am right, the fix seems to be easy. I don't have time at the moment to test this
change with the depth that it needs so I figured I would toss this out to see what you
folks had to say.

I will probably work on changing and testing this sometime this weekend.

Thanks,

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Port specification in the location data returned from http-headers and html-title.nse Tom Sellers (Oct 15)
- Re: Port specification in the location data returned from http-headers and html-title.nse David Fifield (Nov 09)
  - Re: Port specification in the location data returned from http-headers and html-title.nse Tom Sellers (Nov 09)