Nmap Development mailing list archives
[NSE] http-form-brute enhancement
From: nnposter () users sourceforge net
Date: Fri, 19 Sep 2014 22:45:25 +0000
I got inspired by the recent list thread about GET support in http-form-brute to take a closer look at the script. I believe that I have identified several opportunities for enhancement. The attached version implements features listed below. (It is a substantial rewrite so a patch would be larger and more difficult to review than the end result.) Any constructive feedback is appreciated. * Both The form auto-detection and submission now also support GET method. Use argument http-form-brute.method to override the default or whatever was discovered during the auto-detection. * The form submission can now follow arbitrary number of redirects. The depth is controlled by a script constant (not argument), currently set to 2. (Some sites perform a redirect upon a successful login and then immediately another one to switch the origin from HTTPS back to HTTP.) * The script no longer assumes that the form page is the same as the form action. The form auto-detection will use http-form-brute.path for the form analysis and then use the form action for the actual submission. (Only relative destinations are accepted.) A missing action attribute is considered to be the same as the form page to align it with common browser behavior. (The HTML specification leaves the behavior undefined.) * The form auto-detection now considers a field of type "password" to be more likely the password field than just a field named pass* or key*, regardless of the type. (The two name prefixes are still used as a fallback in the absence of the former.) This helps with cases such as "slcpassword" or "token". * All custom HTML parsing code has been replaced with existing http.lua functions, namely grab_forms() and parse_form(). This both improves tolerance for HTML syntax variations and avoids some false matches. As an example, the following embedded CSS fragment used to be treated as a form input tag: .form-signin input[type="password"] * Hard-coded probing credentials "this_is_not_a_valid_user" and "this_is_not_a_valid_password" have been replaced with randomly generated 8-character strings to remove predictability and to make the length hopefully more acceptable. (Some sites error out on the long credentials even before attempting authentication, which throws off the login success/failure detection logic in the script.) * The fallback logic for login failure detection is now more consistent with the submitted form. It is looking for presence of a form field named the same as the submitted password parameter. Previously it was looking for presence of any form field of type password, regardless of name. * Login success/failure detection patterns are now tried on the whole response, as opposed to just the response body. This allows latching onto cookies being set or similar header-level artifacts. * Login success/failure detection patterns are now tried even on redirects, as opposed to just the final location. This offers a notable performance improvement in some cases. As an example, for sites that redirect failed logins back to the landing page this change effectively halves the number of sent HTTP requests if the login failure pattern is set to look for the redirect. * The script now reports the form auto-detection results if the debug level is at least 1: NSE: [http-form-brute 10.1.1.1:443] Form submission path: /sitelogin/login.pl NSE: [http-form-brute 10.1.1.1:443] HTTP method: POST NSE: [http-form-brute 10.1.1.1:443] Username field: (not set) NSE: [http-form-brute 10.1.1.1:443] Password field: token * The script now leverages setRetry() capability from brute.lua for failed HTTP requests. Other notes: * As before, specifying argument http-form-brute.passvar disables form auto-detection. * Backward compatibility with the current version should be generally preserved unless noted otherwise. * The form action auto-detection does not support the base element (for overriding relative URLs) or the formaction attribute (for overriding the form action attribute). * The new version has an edge-case dependency on http.parse_form() doing its job even if the form is missing the action attribute. (See http://seclists.org/nmap-dev/2014/q3/384 and http://seclists.org/nmap-dev/2014/q3/388 for details.) * The new version has an edge-case dependency on http.grab_forms() and http.parse_form() correctly handling some HTML syntax variations. (See http://seclists.org/nmap-dev/2014/q3/418 for details.) * The new version has a direct dependency on url.build_query() performing URL encoding of parameter names and values. It only impacts GET-based forms. (See http://seclists.org/nmap-dev/2014/q3/427 for details.) Cheers, nnposter P.S. Please let me know if I should be submitting patches differently so that they are easier to review. (I have 7 patches in limbo.)
Attachment:
http-form-brute.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-form-brute enhancement nnposter (Sep 19)
- Re: [NSE] http-form-brute enhancement Daniel Miller (Sep 19)
- Re: [NSE] http-form-brute enhancement Daniel Miller (Sep 23)