Nmap Development mailing list archives

Re: NSE script: HTTP Internal IP Address Disclosure

From: Patrick Donnelly <batrick () batbytes com>
Date: Mon, 30 May 2016 21:44:13 -0400

Hi Josh,

On Mon, May 30, 2016 at 6:12 AM, Josh Amishav-Zlatin <jamuse () gmail com> wrote:

I attached an NSE script that checks if the remote web server discloses its
internal IP address when sending an HTTP/1.0 request without a Host header.
While this is a common issue for certain unpatched versions of IIS, other
misconfigured web servers can be vulnerable a well.


Interesting script idea! Few comments:

o Don't declare locals at the top of functions unless necessary for
some specific reason (e.g. wider variable scope required). Declare
locals at first use. (specifically looking at generateHttpV1_0Req.

o The location local in generateHttpV1_0Req appears unused?

o Use the string method access for brevity/performance: Instead of
string.match(lines, ...), do lines:match(...).

o Perhaps the script should only report internal IPs if different from host.ip?

o The validateIP function looks appropriate for a library (if it is
not already written). Perhaps the ipOps library.

-- 
Patrick Donnelly
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (May 30)
- Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (May 30)
  - Re: NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (Jun 01)
    - Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (Jun 07)
    - Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (Jun 08)
    - Re: NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (Jun 09)
    - Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (Jun 09)