Nmap Development mailing list archives
Re: NSE script HTTPallowedMethods.nse
From: David Fifield <david () bamsoftware com>
Date: Tue, 12 Jan 2010 12:10:11 -0700
On Sat, Jan 02, 2010 at 06:43:40PM +0100, Bernd Stroessenreuther wrote:
Hi everybody out there, I'm new to this list, so let me introduce myself. I'm Bernd from Germany and I participate in some open source projects other than nmap. I have written a little NSE script called HTTPallowedMethods.nse (for details see description in the script - I attached it) It is quite useful for me. So my question to the developers and other experienced hackers is: Do You think, it could be useful to someone else? If yes, I would like to contribute it.
Thanks for writing! Sorry for taking so long to respond. Can you tell us more about how this script is useful to you? I tried it and hit a little bug: $ ./nmap --datadir . --script=HTTPallowedMethods.nse -p 80 -d www.bamsoftware.com Initiating NSE at 11:49 NSE: NSE Script Threads (1) running: NSE: Starting HTTPallowedMethods against 69.164.193.231:80. NSE: HTTPallowedMethods.nse: HTTP Status for OPTIONS is 301 Moved Permanently NSE: HTTPallowedMethods against 69.164.193.231:80 threw an error! ./scripts/HTTPallowedMethods.nse:114: attempt to concatenate local 'methods' (a nil value) stack traceback: ./scripts/HTTPallowedMethods.nse:114: in function <./scripts/HTTPallowedMethods.nse:67> (tail call): ? My web server is returning a 301 redirect for requests without a Host header. The response doesn't contain an Allow header so the variable is left nil. Some ideas for the script: You should rename it to fit the model of other scripts; http-methods.nse perhaps. Do you think it's a good idea to retest all the methods by default? The script args should have names based on the name of the script, like http-methods.retest and http-methods.url. It would be nice if you could use the http.lua module to make this script work, because then it would add the Host header automatically and use the HTTP cache. But looking now, I think the module is not yet up to the task. What we need is a generic request function that takes a method, a URL, a header table, and optionally a body. This function would set the User-Agent and Host and anything else before sending the request. I have some enhancements to the http library's parsing in a branch that I'm going to merge after the next release. I think this would be a good thing to add. (We have the http.request function (http://nmap.org/nsedoc/lib/http.html#request), but it takes a string instead of table so the request is not as easy to modify. Its implementation also disagrees with the documentation--http.request used to parse the answer before returning but it doesn't now. This is one of the things that will be fixed when I merge the new code. I just noticed that http-iis-webdav-vuln.nse appears to be broken because http.request doesn't parse the result.) David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 02)
- Re: NSE script HTTPallowedMethods.nse David Fifield (Jan 12)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 27)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse David Fifield (Jan 29)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 30)
- Re: NSE Script http-methods.nse David Fifield (Feb 01)
- Re: NSE Script http-methods.nse David Fifield (Feb 18)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE script HTTPallowedMethods.nse David Fifield (Jan 12)