Nmap Development mailing list archives
Re: http-trace update
From: Fyodor <fyodor () insecure org>
Date: Mon, 27 Jun 2011 12:35:34 -0700
On Mon, Jun 13, 2011 at 11:54:05PM -0700, Paulino Calderon wrote:
Here is my new version of http-trace. This new version was created to fix some issues that were discussed a while ago:
Thanks Paulino! This looks good and works well in my testing. I receive output like: Nmap scan report for mit.edu (18.9.22.69) Host is up (0.10s latency). rDNS record for 18.9.22.69: WEB.MIT.EDU PORT STATE SERVICE 80/tcp open http | http-trace: TRACE is enabled | Headers: | Date: Mon, 27 Jun 2011 18:42:27 GMT | Server: Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j | Connection: close | Transfer-Encoding: chunked |_Content-Type: message/http I have a few suggestions: o It should probably be added to the "vuln" category. Even though it isn't a directly exploitable vulnerability in itself, I think people who do "--script vuln" will want to know about it. Keeping it in "discovery" seems fine too. o The headers in the example above don't really give us anything we couldn't get from http-headers. The question is whether there are cases where we do get extra, valuable information? I'd suggest: 1) If the trace-specific header information is unlikely to be useful beyond what we could get with http-headers, it should be removed or made to require debug level of at least one or something. 2) If the header information is likely to be useful in some cases, maybe we can build a list of "basic" headers to ignore, like the five above. That way the user only sees headers which are unusual and more likely to be worth noting. Once you deal with these issues, please do check the script in (replacing current http-trace). Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-trace update Paulino Calderon (Jun 13)
- Re: http-trace update Fyodor (Jun 27)
- Re: http-trace update Paulino Calderon (Jun 27)
- Re: http-trace update Fyodor (Jun 27)