Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] new scripts and libraries: http

From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Sep 2010 17:50:21 -0600
On Mon, Sep 06, 2010 at 06:00:14PM -0500, DePriest, Jason R. wrote:

Re: return code for valid vs. invalid login

All of the web apps developed in house by my employer return 200 OK on both
success and failure.  This is by design.  Failed logins are redirected to a
login page and the 403 error page is never displayed.

Something like that would break this script.

Would it be possible to have a user definable success / fail criteria that
includes regex or custombreturn codes?


There are two different HTTP brute scripts. If you're talking about
forms-based authentication, http-form-brute already does that. (It looks
for a lack of a password box on the returned page.) The status code for
success doesn't come into play there. http-brute is for ordinary HTTP
authentication, and there the status code matters.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: