Nmap Development mailing list archives
Re: [NSE] Why http.parse_form() rejects forms w/o action?
From: nnposter () users sourceforge net
Date: Fri, 29 Aug 2014 20:47:25 +0000
Daniel Miller wrote:
The default *method* is GET. The *action* is the URI path for the reply. I don't see a problem with nnposter's patch, other than the other scripts that use http.parse_form would need to be updated to handle the nil case.
The patch below should take care of it. Besides the six listed scripts, http-form-brute alse uses parse_form() but it does not need the action. Please let me know if you see any other reason for not parsing such forms. Cheers, nnposter --- scripts/http-csrf.nse.orig 2014-08-29 14:38:02.850978300 -0600 +++ scripts/http-csrf.nse 2014-08-29 14:36:40.968978300 -0600 @@ -134,7 +134,7 @@ form = http.parse_form(form) local resistant = false - if form then + if form and form.action then for _, field in ipairs(form['fields']) do -- First we check the field's name. --- scripts/http-fileupload-exploiter.nse.orig 2014-08-29 14:38:13.341978300 -0600 +++ scripts/http-fileupload-exploiter.nse 2014-08-29 14:37:23.112978300 -0600 @@ -256,7 +256,7 @@ form = http.parse_form(form) - if form then + if form and form.action then local action_absolute = string.find(form["action"], "https*://") --- scripts/http-form-fuzzer.nse.orig 2014-08-29 14:38:38.399978300 -0600 +++ scripts/http-form-fuzzer.nse 2014-08-29 14:21:42.724284900 -0600 @@ -195,7 +195,7 @@ local maxlen = target["maxlength"] or maxlen_global for _,form_plain in ipairs(all_forms) do local form = http.parse_form(form_plain) - if form then + if form and form.action then local affected_fields = fuzz_form(form, minlen, maxlen, host, port, path) if #affected_fields > 0 then affected_fields["name"] = "Path: "..path.." Action: "..form["action"] --- scripts/http-rfi-spider.nse.orig 2014-08-29 14:38:52.709978300 -0600 +++ scripts/http-rfi-spider.nse 2014-08-29 14:21:39.471959700 -0600 @@ -198,7 +198,7 @@ for _,form_plain in ipairs(all_forms) do local form = http.parse_form(form_plain) local path = r.url.path - if form then + if form and form.action then local vulnerable_fields = check_form(form, host, port, path) if #vulnerable_fields > 0 then vulnerable_fields["name"] = "Possible RFI in form at path: "..path..", action: "..form["action"].." for fields:" --- scripts/http-sql-injection.nse.orig 2014-08-29 14:39:03.074978300 -0600 +++ scripts/http-sql-injection.nse 2014-08-29 14:21:37.378750400 -0600 @@ -247,7 +247,7 @@ for _,form_plain in ipairs(all_forms) do local form = http.parse_form(form_plain) local path = r.url.path - if form then + if form and form.action then local vulnerable_fields = check_form(form, host, port, path) if #vulnerable_fields > 0 then vulnerable_fields["name"] = "Form at path: "..path..", form's action: "..form["action"]..". Fields that might be vulnerable:" diff -ur c:\users\pzaruba\downloads/http-stored-xss.nse c:\Program Files (x86)\Nmap\scripts/http-stored-xss.nse --- scripts/http-stored-xss.nse.orig 2014-08-29 14:39:07.442978300 -0600 +++ scripts/http-stored-xss.nse 2014-08-29 14:21:35.046517200 -0600 @@ -202,7 +202,7 @@ form = http.parse_form(form) - if form then + if form and form.action then local action_absolute = string.find(form["action"], "https*://") _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Why http.parse_form() rejects forms w/o action? nnposter (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? David Fifield (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? Daniel Miller (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? nnposter (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? Daniel Miller (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? David Fifield (Aug 29)