Re: NSE Script http-methods.nse

[Patrik Karlsson <patrik () cqure net>]

Hi,

I just ran the script against an IIS 6.0 of mine and noticed that it wasn't detecting PUT which I had enabled.
The reason for this is that PUT appears in the Public HTTP header rather than in the Allow header.

In my case the response to the OPTIONS request looks like this:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Feb 2010 12:45:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private

Here's some more info on the Public header:
http://www.w3.org/Protocols/HTTP/Object_Headers.html#public

Maybe the contents of the Public and Allow headers should be merged?

//Patrik


On 23 feb 2010, at 01.37, Fyodor wrote:

> On Mon, Feb 22, 2010 at 02:43:35PM -0700, David Fifield wrote:
> > On Sun, Feb 21, 2010 at 12:49:23AM +0100, Daniel Roethlisberger wrote:
> > > David Fifield <david () bamsoftware com> 2010-02-18:
> > >
> > > http://www.owasp.org/index.php/Cross_Site_Tracing
> >
> > Okay, sounds good. I was not aware of that possibility. I removed TRACE
> > from the uninteresting set.
>
> I agree that TRACE can be interesting, and probably is worth noting.
> But we need to take extra care in the output of this script, as (per
> Bernd's research) it will now output on more than half of all web
> servers encountered.  Right now it looks like this against
> scanme.nmap.org:
>
> 80/tcp    open   http    Apache httpd 2.2.3 ((CentOS))
> |_http-methods: GET,HEAD,POST,OPTIONS,TRACE
> |_html-title: Go ahead and ScanMe!
>
> It takes a pretty experienced user to get anything useful out of the
> http-methods line here.  I think most users would immediately gloss
> over that line, rather than thinking "uh-oh, that list contains TRACE
> which can be a vector for defeating httpOnly cookies on systems with
> XSS vulns).  If TRACE triggered the output, I think we should make
> that clear and also provide a reference to the issue.
>
> Speaking of which, here is a useful OWASP page which describes the
> risks of various HTTP methods:
>
> http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
>
> I'm not sure what the best output would be, but one idea would be to
> only include the current (full list of methods) line in verbose mode,
> but (even in non-verbose) list the potentially risky methods supported
> and provide a link to the nsedoc page for more information.
>
> Of course the nsedoc would have to be updated to give more information
> about what methods are dangerous and why.  Much of that information is
> on the Owasp Testing_for_HTTP_Methods_and_XST page (which the nsedoc
> should link to).  For example:
>
> | http-methods: Supports potentially risky methods: TRACE, DELETE
> |_   See: http://nmap.org/nsedoc/scripts/http-methods.html
>
> Also, as mentioned in this OWASP page and also touched on in David's
> email, it might be worth trying a bogus method and reporting if it
> works (gives a 200 response).  Or I suppose we could save that for
> some sort of general http vuln script later.
>
> Anyone want to try and implement this?  http-methods is a simple but
> important script, so its a good way to get started on NSE!
>
> Cheers,
> Fyodor
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/