Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE Script http-methods.nse

From: David Fifield <david () bamsoftware com>
Date: Thu, 18 Feb 2010 22:47:33 -0700
On Mon, Feb 01, 2010 at 12:25:37PM -0700, David Fifield wrote:

On Sat, Jan 30, 2010 at 09:11:01PM +0100, Bernd Stroessenreuther wrote:

Fyodor had some ideas for enhancement of the script, such as making it
default and only printing "interesting" methods in non-verbose mode.


Even if I'm not sure why some methods should be more interesting then others, 
I'm prying. You surely know much better then I, what nmap users find 
interesting or useful...  


The idea here is to make the script default, because if a server
supports DELETE or something, someone running with -sC probably wants to
see that. But for ordinary methods like GET and HEAD, the user probably
doesn't want to see those for every server. With one level of -v, the
script would print out all methods. Scripts that are listed by name
always get an increase of one -v automatically, so if you run
--script=http-methods, you will see all the methods for every server.
Here are some examples:

$ nmap -sC scanme.nmap.org -p 80
(No http-methods output.)

$ nmap --script=safe scanme.nmap.org -p 80
(No http-methods output.)

$ nmap -sC -v scanme.nmap.org -p 80
|_http-methods: OPTIONS / request returned: GET,HEAD,POST,OPTIONS,TRACE

$ nmap --script=http-methods scanme.nmap.org -p 80
|_http-methods: OPTIONS / request returned: GET,HEAD,POST,OPTIONS,TRACE

It's like, we want something like an http-dangerous-methods script,
which only highlights methods you don't expect to see on every web
server. But you also want a script to just give you a plain report of
what options the server supports. Maybe this script can do both? What do
you think.


I've implemented this in r16829. If the script doesn't find any methods
other than GET, HEAD, POST, OPTIONS, and TRACE, it doesn't produce any
output. In verbose mode, or if any other method is discovered, it prints
out all methods it finds. Scripts that are listed by name get an
automatic verbosity boost, so if you run with --script=http-methods, you
will always see all methods.

I decided to print all the methods, even the "uninteresting" ones, if
any method is shown, so that you have more examples to see if the error
code returned by one of the methods is anomalous.

The uninteresting set {GET, HEAD, POST, OPTIONS, TRACE} just comes from
a quick observation of a handful of web servers. I welcome suggestions
of methods to be removed from or added to the set.

I changed the output a bit. With the retest option on, it looks like
this:

80/tcp open  http
| http-methods: GET,HEAD,POST,OPTIONS,TRACE
| GET / -> HTTP/1.1 200 OK
| HEAD / -> HTTP/1.1 200 OK
| POST / -> HTTP/1.1 200 OK
| OPTIONS / -> HTTP/1.1 200 OK
|_TRACE / -> HTTP/1.1 200 OK

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: