Nmap Development mailing list archives
Re: [RFC][NSE] Incomplete HTTP response body
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sun, 19 Mar 2017 07:55:46 -0500
My initial thought is that this is very interesting. I can't remember specifically, but it does seem like I've encountered cases where it would have been useful. I'll look at the code itself shortly and give feedback. Dan On Fri, Mar 17, 2017 at 3:16 PM, nnposter <nnposter () users sourceforge net> wrote:
Nmappers, Recent e-mail thread "Get value in IncompleteRead exception", http://seclists.org/nmap-dev/2017/q1/191, covered the fact that the current NSE HTTP library does not provide means how to obtain partially received response bodies. If the response parsing fails for whatever reason the caller only gets a nil status, and the status line contains a one-line error message. The caller specifically does not get any data from the response itself. I have put together a patch that adds a new member to the response object. If an HTTP response fails while processing the body then this member gets populated with a body fragment received up to that point. The value proposition is that probing for HTTP vulnerabilities sometimes results in incorrectly formed bodies. The content length might be off or the chunks are corrupted. With this modification a vulnerability test script might still be able to use the HTTP library, instead of hand-rolling the request. I am looking for opinions whether such a functionality is desirable or not. The attached patch applies cleanly against r36651 if you want to try it out. I am not going to commit it by default, without a reasonable consensus. Thank you for your thoughts, nnposter _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC][NSE] Incomplete HTTP response body nnposter (Mar 17)
- Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 19)
- Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 19)
- Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 27)
- Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 29)
- Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 19)
- Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 19)