[NSE] http-form-brute enhancement

[nnposter () users sourceforge net]

I got inspired by the recent list thread about GET support in
http-form-brute to take a closer look at the script. I believe that
I have identified several opportunities for enhancement.

The attached version implements features listed below. (It is a
substantial rewrite so a patch would be larger and more difficult to
review than the end result.) Any constructive feedback is appreciated.

* Both The form auto-detection and submission now also support GET
method. Use argument http-form-brute.method to override the default or
whatever was discovered during the auto-detection.

* The form submission can now follow arbitrary number of redirects.
The depth is controlled by a script constant (not argument), currently
set to 2. (Some sites perform a redirect upon a successful login and
then immediately another one to switch the origin from HTTPS back to
HTTP.)

* The script no longer assumes that the form page is the same as the
form action. The form auto-detection will use http-form-brute.path for
the form analysis and then use the form action for the actual
submission. (Only relative destinations are accepted.) A missing action
attribute is considered to be the same as the form page to align it
with common browser behavior. (The HTML specification leaves the
behavior undefined.)

* The form auto-detection now considers a field of type "password" to
be more likely the password field than just a field named pass* or
key*, regardless of the type. (The two name prefixes are still used as
a fallback in the absence of the former.) This helps with cases such
as "slcpassword" or "token".

* All custom HTML parsing code has been replaced with existing
http.lua functions, namely grab_forms() and parse_form(). This both
improves tolerance for HTML syntax variations and avoids some false
matches. As an example, the following embedded CSS fragment used to be
treated as a form input tag:
.form-signin input[type="password"]

* Hard-coded probing credentials "this_is_not_a_valid_user" and
"this_is_not_a_valid_password" have been replaced with randomly
generated 8-character strings to remove predictability and to make the
length hopefully more acceptable. (Some sites error out on the long
credentials even before attempting authentication, which throws off the
login success/failure detection logic in the script.)

* The fallback logic for login failure detection is now more consistent
with the submitted form. It is looking for presence of a form field
named the same as the submitted password parameter. Previously it was
looking for presence of any form field of type password, regardless of
name.

* Login success/failure detection patterns are now tried on the whole
response, as opposed to just the response body. This allows latching
onto cookies being set or similar header-level artifacts.

* Login success/failure detection patterns are now tried even on
redirects, as opposed to just the final location. This offers a notable
performance improvement in some cases. As an example, for sites that
redirect failed logins back to the landing page this change effectively
halves the number of sent HTTP requests if the login failure pattern is
set to look for the redirect.

* The script now reports the form auto-detection results if the debug
level is at least 1:

NSE: [http-form-brute 10.1.1.1:443] Form submission path: /sitelogin/login.pl
NSE: [http-form-brute 10.1.1.1:443] HTTP method: POST
NSE: [http-form-brute 10.1.1.1:443] Username field: (not set)
NSE: [http-form-brute 10.1.1.1:443] Password field: token

* The script now leverages setRetry() capability from brute.lua for
failed HTTP requests.


Other notes:

* As before, specifying argument http-form-brute.passvar disables form
auto-detection.

* Backward compatibility with the current version should be generally
preserved unless noted otherwise.

* The form action auto-detection does not support the base element (for
overriding relative URLs) or the formaction attribute (for overriding
the form action attribute).

* The new version has an edge-case dependency on http.parse_form()
doing its job even if the form is missing the action attribute. (See
http://seclists.org/nmap-dev/2014/q3/384 and
http://seclists.org/nmap-dev/2014/q3/388 for details.)

* The new version has an edge-case dependency on http.grab_forms() and
http.parse_form() correctly handling some HTML syntax variations. (See
http://seclists.org/nmap-dev/2014/q3/418 for details.)

* The new version has a direct dependency on url.build_query()
performing URL encoding of parameter names and values. It only impacts
GET-based forms. (See http://seclists.org/nmap-dev/2014/q3/427 for
details.)



Cheers,
nnposter


P.S. Please let me know if I should be submitting patches differently
so that they are easier to review. (I have 7 patches in limbo.)

Attachment: http-form-brute.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/