Re: NSE script HTTPallowedMethods.nse

[David Fifield <david () bamsoftware com>]

On Sat, Jan 02, 2010 at 06:43:40PM +0100, Bernd Stroessenreuther wrote:
> Hi everybody out there,
>
> I'm new to this list, so let me introduce myself. I'm Bernd from
> Germany and I participate in some open source projects other than
> nmap.
>
> I have written a little NSE script called HTTPallowedMethods.nse (for
> details see description in the script - I attached it) It is quite
> useful for me. So my question to the developers and other experienced
> hackers is: Do You think, it could be useful to someone else? If yes,
> I would like to contribute it.

Thanks for writing! Sorry for taking so long to respond. Can you tell us
more about how this script is useful to you?

I tried it and hit a little bug:

$ ./nmap --datadir . --script=HTTPallowedMethods.nse -p 80 -d www.bamsoftware.com
Initiating NSE at 11:49
NSE: NSE Script Threads (1) running:
NSE: Starting HTTPallowedMethods against 69.164.193.231:80.
NSE: HTTPallowedMethods.nse: HTTP Status for OPTIONS is 301 Moved Permanently
NSE: HTTPallowedMethods against 69.164.193.231:80 threw an error!
./scripts/HTTPallowedMethods.nse:114: attempt to concatenate local 'methods' (a nil value)
stack traceback:
        ./scripts/HTTPallowedMethods.nse:114: in function <./scripts/HTTPallowedMethods.nse:67>
        (tail call): ?

My web server is returning a 301 redirect for requests without a Host
header. The response doesn't contain an Allow header so the variable is
left nil.

Some ideas for the script: You should rename it to fit the model of
other scripts; http-methods.nse perhaps. Do you think it's a good idea
to retest all the methods by default? The script args should have names
based on the name of the script, like http-methods.retest and
http-methods.url.

It would be nice if you could use the http.lua module to make this
script work, because then it would add the Host header automatically and
use the HTTP cache. But looking now, I think the module is not yet up to
the task. What we need is a generic request function that takes a
method, a URL, a header table, and optionally a body. This function
would set the User-Agent and Host and anything else before sending the
request. I have some enhancements to the http library's parsing in a
branch that I'm going to merge after the next release. I think this
would be a good thing to add.

(We have the http.request function
(http://nmap.org/nsedoc/lib/http.html#request), but it takes a string
instead of table so the request is not as easy to modify. Its
implementation also disagrees with the documentation--http.request used
to parse the answer before returning but it doesn't now. This is one of
the things that will be fixed when I merge the new code. I just noticed
that http-iis-webdav-vuln.nse appears to be broken because http.request
doesn't parse the result.)

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/