Nmap Development mailing list archives
Re: [NSE] Why http.parse_form() rejects forms w/o action?
From: nnposter () users sourceforge net
Date: Fri, 29 Aug 2014 20:47:25 +0000
Daniel Miller wrote:
The default *method* is GET. The *action* is the URI path for the reply. I don't see a problem with nnposter's patch, other than the other scripts that use http.parse_form would need to be updated to handle the nil case.
The patch below should take care of it. Besides the six listed scripts,
http-form-brute alse uses parse_form() but it does not need the action.
Please let me know if you see any other reason for not parsing such forms.
Cheers,
nnposter
--- scripts/http-csrf.nse.orig 2014-08-29 14:38:02.850978300 -0600
+++ scripts/http-csrf.nse 2014-08-29 14:36:40.968978300 -0600
@@ -134,7 +134,7 @@
form = http.parse_form(form)
local resistant = false
- if form then
+ if form and form.action then
for _, field in ipairs(form['fields']) do
-- First we check the field's name.
--- scripts/http-fileupload-exploiter.nse.orig 2014-08-29 14:38:13.341978300 -0600
+++ scripts/http-fileupload-exploiter.nse 2014-08-29 14:37:23.112978300 -0600
@@ -256,7 +256,7 @@
form = http.parse_form(form)
- if form then
+ if form and form.action then
local action_absolute = string.find(form["action"], "https*://")
--- scripts/http-form-fuzzer.nse.orig 2014-08-29 14:38:38.399978300 -0600
+++ scripts/http-form-fuzzer.nse 2014-08-29 14:21:42.724284900 -0600
@@ -195,7 +195,7 @@
local maxlen = target["maxlength"] or maxlen_global
for _,form_plain in ipairs(all_forms) do
local form = http.parse_form(form_plain)
- if form then
+ if form and form.action then
local affected_fields = fuzz_form(form, minlen, maxlen, host, port, path)
if #affected_fields > 0 then
affected_fields["name"] = "Path: "..path.." Action: "..form["action"]
--- scripts/http-rfi-spider.nse.orig 2014-08-29 14:38:52.709978300 -0600
+++ scripts/http-rfi-spider.nse 2014-08-29 14:21:39.471959700 -0600
@@ -198,7 +198,7 @@
for _,form_plain in ipairs(all_forms) do
local form = http.parse_form(form_plain)
local path = r.url.path
- if form then
+ if form and form.action then
local vulnerable_fields = check_form(form, host, port, path)
if #vulnerable_fields > 0 then
vulnerable_fields["name"] = "Possible RFI in form at path: "..path..", action: "..form["action"].." for
fields:"
--- scripts/http-sql-injection.nse.orig 2014-08-29 14:39:03.074978300 -0600
+++ scripts/http-sql-injection.nse 2014-08-29 14:21:37.378750400 -0600
@@ -247,7 +247,7 @@
for _,form_plain in ipairs(all_forms) do
local form = http.parse_form(form_plain)
local path = r.url.path
- if form then
+ if form and form.action then
local vulnerable_fields = check_form(form, host, port, path)
if #vulnerable_fields > 0 then
vulnerable_fields["name"] = "Form at path: "..path..", form's action: "..form["action"]..". Fields that
might be vulnerable:"
diff -ur c:\users\pzaruba\downloads/http-stored-xss.nse c:\Program Files (x86)\Nmap\scripts/http-stored-xss.nse
--- scripts/http-stored-xss.nse.orig 2014-08-29 14:39:07.442978300 -0600
+++ scripts/http-stored-xss.nse 2014-08-29 14:21:35.046517200 -0600
@@ -202,7 +202,7 @@
form = http.parse_form(form)
- if form then
+ if form and form.action then
local action_absolute = string.find(form["action"], "https*://")
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Why http.parse_form() rejects forms w/o action? nnposter (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? David Fifield (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? Daniel Miller (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? nnposter (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? Daniel Miller (Aug 29)
- Re: [NSE] Why http.parse_form() rejects forms w/o action? David Fifield (Aug 29)