Nmap Development mailing list archives
RE: http-methods & http-trace NSE Script Enhancement Ideas
From: King Thorin <kingthorin () hotmail com>
Date: Wed, 23 May 2012 15:31:28 -0400
Date: Wed, 23 May 2012 20:03:30 +0200 Subject: Re: http-methods & http-trace NSE Script Enhancement Ideas From: patrik () cqure net To: kingthorin () hotmail com CC: toni.ruottu () iki fi; paulino () calderonpale com; nmap-dev () insecure org On Wed, May 23, 2012 at 7:33 PM, King Thorin <kingthorin () hotmail com> wrote: I just had a quick look at http-cors. It does not appear to follow redirects or check status codes at all, only setting and getting header values. I'm not sure if those header values would or wouldn't be present in a redirect. I still need someone (or a bunch of people) to confirm if I'm correct in my experiences with allow and public being lacking on redirect responses. Also I still need to know how to provide updates for the scripts in question. I'd propose a script parameter such as: redirect_count So code for htt-trace.nse could look like ( I threw this together quickly, it's not necessarily perfect or useable in this form): --- Validates the HTTP response and returns header list --@param response The HTTP response --@param response_headers The HTTP response headers local validate = function(response, response_headers, followed_redirects) local output_lines = {} if not(response:match("HTTP/1.[01] 200") or response:match("TRACE / HTTP/1.[01]")) then return else output_lines[ #output_lines+1 ] = "TRACE is enabled" if followed-redirects > 0 output_lines[ #output_lines+1 ] = "Followed " .. followed_redirects .. " redirects." -- We followed some redirects, tell the user end if nmap.verbosity() >= 2 then output_lines[ #output_lines+1 ]= "Headers:" for _, value in pairs(response_headers) do output_lines [ #output_lines+1 ] = value end end if #output_lines > 0 then return stdnse.strjoin("\n", output_lines) end end --- --MAIN --- action = function(host, port) local path = stdnse.get_script_args("http-trace.path") or "/" local num_redirects = stdnse.get_script_args("http-trace.redirect_count") or 2 -- Set default low [2] and let user make it bigger if needed local followed_redirects = 0 local req = http.generic_request(host, port, "TRACE", path) -- Request zero while (req.status == 301 or req.status == 302) and req.header["location"] and followed_redirects < num_redirects do -- Follow 2 or redirect_count redirects req = http.generic_request(host, port, "TRACE", req.header["location"]) followed_redirects = followed_redirects + 1 end -- Hopefully when we finish looping we received a HTTP 200 OK after following some redirects (at least we tried) return validate(req.body, req.rawheader, followed_redirects) end PS > The thread has now had two top and one bottom reply, what's the actual preference on this list? Date: Wed, 23 May 2012 18:41:06 +0300 Subject: Re: http-methods & http-trace NSE Script Enhancement Ideas From: toni.ruottu () iki fi To: paulino () calderonpale com CC: kingthorin () hotmail com; nmap-dev () insecure org Does this affect http-cors too? On Wednesday, 23 May 2012, Paulino Calderon wrote: On 23/05/2012 07:17 a.m., King Thorin wrote: I was just looking through some online docs and some nmap results. I've never seen a server that includes public or allow header(s) on a redirect response [maybe my experience is limited?]. It seems to me that the http-methods NSE should follow redirects (HTTP 301, 302, 303) in order to perform the necessary OPTIONS request on a page/resource that's providing a HTTP 200. Perhaps similar to the http-trace script: http://nmap.org/svn/scripts/http-trace.nse Though even that only follows one 301 or 302 redirect. Further, maybe both scripts should follow a configurable # of redirects (default 2, 3, 4 and configurable further) looking for a HTTP 200& handle 301, 302, and 303 redirect codes. Reference: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html I've emailed the devs of both scripts without any luck. I'd be glad to provide the necessary changes, if someone can simply fill me in as to how they should be submitted. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ I think adding a configuration value for redirects will work better in some cases. I would say most of the libraries follow 2-3 redirects but no more than that. In your experience, what would be a good default? -- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ The http library does support http redirects for get and head requests.While redirection may seem trivial to implement at first there are a actually a few things to consider. Therefore, why not make trace a function in the http library wrapping the generic_request method and adding redirect support in the same way as has already been done for get, head, post and put requests? Cheers,Patrik -- Patrik Karlssonhttp://www.cqure.nethttp://twitter.com/nevdull77 Hi Patrik, I like that idea at face value. However I'm not a developer and looking at http://nmap.org/nsedoc/lib/http.html does not clarify redirect_ok or MAX_REDIRECT_COUNT for me at all. I'd either need some better examples/direction or someone else to pickup the idea and modify the NSEs in question. Rick _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Paulino Calderon (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Toni Ruottu (May 23)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Patrik Karlsson (May 23)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Toni Ruottu (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Paulino Calderon (May 23)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 25)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Patrik Karlsson (May 25)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 25)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Patrik Karlsson (May 25)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 27)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 30)
- Re: http-methods & http-trace NSE Script Enhancement Ideas David Fifield (May 30)
- RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 31)
- RE: NSE: http-phpself-xss - Finds PHP files with reflected cross site scripting vulns due to unsafe use of the variable $_SERVER[PHP_SELF] King Thorin (Jun 01)