Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: Fyodor <fyodor () insecure org>
Date: Mon, 22 Feb 2010 16:37:47 -0800
On Mon, Feb 22, 2010 at 02:43:35PM -0700, David Fifield wrote:
On Sun, Feb 21, 2010 at 12:49:23AM +0100, Daniel Roethlisberger wrote:David Fifield <david () bamsoftware com> 2010-02-18: http://www.owasp.org/index.php/Cross_Site_TracingOkay, sounds good. I was not aware of that possibility. I removed TRACE from the uninteresting set.
I agree that TRACE can be interesting, and probably is worth noting. But we need to take extra care in the output of this script, as (per Bernd's research) it will now output on more than half of all web servers encountered. Right now it looks like this against scanme.nmap.org: 80/tcp open http Apache httpd 2.2.3 ((CentOS)) |_http-methods: GET,HEAD,POST,OPTIONS,TRACE |_html-title: Go ahead and ScanMe! It takes a pretty experienced user to get anything useful out of the http-methods line here. I think most users would immediately gloss over that line, rather than thinking "uh-oh, that list contains TRACE which can be a vector for defeating httpOnly cookies on systems with XSS vulns). If TRACE triggered the output, I think we should make that clear and also provide a reference to the issue. Speaking of which, here is a useful OWASP page which describes the risks of various HTTP methods: http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 I'm not sure what the best output would be, but one idea would be to only include the current (full list of methods) line in verbose mode, but (even in non-verbose) list the potentially risky methods supported and provide a link to the nsedoc page for more information. Of course the nsedoc would have to be updated to give more information about what methods are dangerous and why. Much of that information is on the Owasp Testing_for_HTTP_Methods_and_XST page (which the nsedoc should link to). For example: | http-methods: Supports potentially risky methods: TRACE, DELETE |_ See: http://nmap.org/nsedoc/scripts/http-methods.html Also, as mentioned in this OWASP page and also touched on in David's email, it might be worth trying a bogus method and reporting if it works (gives a 200 response). Or I suppose we could save that for some sort of general http vuln script later. Anyone want to try and implement this? http-methods is a simple but important script, so its a good way to get started on NSE! Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse, (continued)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse David Fifield (Jan 29)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 30)
- Re: NSE Script http-methods.nse David Fifield (Feb 01)
- Re: NSE Script http-methods.nse David Fifield (Feb 18)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Feb 20)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Mar 02)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Mar 05)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Mar 05)
- Re: NSE Script http-methods.nse Vlatko Kosturjak (Feb 21)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)