Nmap Development mailing list archives
Re: http-cors, new NSE script for detecting cross-origin http access
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sat, 18 Jun 2011 18:44:35 +0300
To clarify a bit, you would not want your intranet services to be cross-origin accessible, as any one of your users websites could in that case access them. For example you do not want to provide an interfaces that lets evilhaxor.net modify your firewall settings. In most cases it is perfectly ok for world readable/writable interfaces to be cross-origin accessible. On Sat, Jun 18, 2011 at 12:47 AM, Toni Ruottu <toni.ruottu () iki fi> wrote:
hello I wrote a simple script which uses CORS to figure out cross-origin accessible methods on an http server. It seems to work against the http interface of an OpenLookup server, but it needs to be tested against other servers with CORS policies. Feel free to try it against my OpenLookup server by running the following command... nmap -sV -p 5851 --script http-cors javascript0.org Please report your results against other targets to the mailing list. Cheers, --Toni
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-cors, new NSE script for detecting cross-origin http access Toni Ruottu (Jun 17)
- Re: http-cors, new NSE script for detecting cross-origin http access Toni Ruottu (Jun 18)