Re: http-methods.nse implementation

[David Fifield <david () bamsoftware com>]

On Tue, Mar 08, 2011 at 02:57:57PM +0100, Vlatko Kosturjak wrote:
> On 03/08/2011 02:49 PM, Rob Nicholls wrote:
> > On Tue, 8 Mar 2011 15:33:48 +0200, Josh Amishav-Zlatin wrote:
> > > Would it make more sense for the
> > > script to have a base list of methods that it checks for regardless of
> > > whether OPTIONS is enabled or not and then appends that list based on
> > > the results of an OPTIONS request?
> >
> > I'd prefer not to trust OPTIONS at all, and perhaps rename the existing
> > option or add something like http-methods.force or http-methods.thorough
> > to test a long hardcoded base list of methods like you suggest. The
> > current "retest" option doesn't really retest the methods, it simply
> > performs a more thorough test based on the original OPTIONS response
> > (which, as you point out, could be inaccurate).
>
> I think we discussed this already some time ago:
> http://seclists.org/nmap-dev/2010/q1/618
> ...and I remember, decision was to have it like this.

I don't know, I think it's fine to test from a static set of method
names (including invalid names). If someone writes a good patch I think
we'd accept it. It just perhaps shouldn't be default.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/