NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse

[Bernd Stroessenreuther <berny1 () users sourceforge net>]

Hi David,

Thank You for Your ideas.

> Thanks for writing! Sorry for taking so long to respond. Can you tell us
> more about how this script is useful to you?

e. g. if You want to see, if everything on Your network is as it should be, 
You might want to use nmap. If nmap tells there is an open port 80 on a 
machine You use as a webserver, normally You do'nt worry about this.
But maybe someone did a misconfiguration on the webserver and did enable 
WebDAV, maybe You should worry, because now Your Content is writeable.

This script is able to find out the difference.
Normally it reports only methods GET,HEAD,POST,OPTIONS,TRACE
but with WebDAV enabled it reports additional methods like PROPFIND, 
DELETE, ...

But sometimes this is a false positiv, because the admin allows the additional 
methods of WebDAV only for certain users or from some IP addresses. That's 
what the retest is for.

Or maybe the security policy in Your company is to generally have TRACE 
disabled. With this script You can quickly verify it is.

> I tried it and hit a little bug:
>
> $ ./nmap --datadir . --script=HTTPallowedMethods.nse -p 80 -d
> www.bamsoftware.com Initiating NSE at 11:49
> NSE: NSE Script Threads (1) running:
> NSE: Starting HTTPallowedMethods against 69.164.193.231:80.
> NSE: HTTPallowedMethods.nse: HTTP Status for OPTIONS is 301 Moved
> Permanently NSE: HTTPallowedMethods against 69.164.193.231:80 threw an
> error!
> ./scripts/HTTPallowedMethods.nse:114: attempt to concatenate local
> 'methods' (a nil value) stack traceback:
>         ./scripts/HTTPallowedMethods.nse:114: in function
> <./scripts/HTTPallowedMethods.nse:67> (tail call): ?
>
> My web server is returning a 301 redirect for requests without a Host
> header. The response doesn't contain an Allow header so the variable is
> left nil.

Is fixed now. 403 did cause similar problems.

> Some ideas for the script: You should rename it to fit the model of
> other scripts; http-methods.nse perhaps.

Done.

> Do you think it's a good idea 
> to retest all the methods by default?

By default no retest is done. You have to ask for retests by a script option.

> The script args should have names 
> based on the name of the script, like http-methods.retest and
> http-methods.url.

Tried these names but they make problems when using with nmap 5.00

NSE: http-methods threw an error!
./http-methods.nse:77: attempt to index local 'methods' (a nil value)
stack traceback:
        ./http-methods.nse:77: in function <./http-methods.nse:67>
        (tail call): ?

Do not understand, what is wrong there. Does anyone have a hint for me??
Meanwhile I left the old names.

> It would be nice if you could use the http.lua module to make this
> script work, because then it would add the Host header automatically and
> use the HTTP cache. But looking now, I think the module is not yet up to
> the task. What we need is a generic request function that takes a
> method, a URL, a header table, and optionally a body. This function
> would set the User-Agent and Host and anything else before sending the
> request. I have some enhancements to the http library's parsing in a
> branch that I'm going to merge after the next release. I think this
> would be a good thing to add.

I think I wait for Your enhancements, because they sound very helpful and 
adapt my script afterwards to use http.lua.

I attached the new version of my script.

Bernd

Attachment: http-methods.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/