Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

http-trace fails

From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 28 Apr 2010 18:13:20 +0200
Hi all,

I'm having some trouble with the http-trace script missing hosts that actually have the TRACE method enabled.
I've been able to locate the problem and it occurs if the server does not return anything more than the TRACE / 
HTTP/1.0 line.
Here's an example of a server that fails:

--- snip ---

TRACE / HTTP/1.0


<HTTP/1.1 200 OK
Date: Wed, 28 Apr 2010 07:27:41 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0

--- snip ---

The current logic only returns a success if the HTTP data portion of the response is different from the original query.
An alternative method of detection would be to stuff a header with random contents into the request and look for it in 
the response:

--- snip ---
<TRACE / HTTP/1.0
T-CHECK: bf4c521519dab73291eb13f27e1eb53540a656dd


HTTP/1.1 200 OK

Date: Wed, 28 Apr 2010 16:11:10 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
T-CHECK: bf4c521519dab73291eb13f27e1eb53540a656dd

--- snip ---

Or the script could simply be corrected to handle the first request. Any thoughts?

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: