Nmap Development mailing list archives
Patches for http.lua and adding support in httpspider.lua
From: Vinamra Bhatia <vinamrabhatia8 () gmail com>
Date: Tue, 20 Jun 2017 08:44:36 +0530
Hello All, I was trying to add cookie support in httpspider.lua as I wanted to check my XSS Script. However, I wasn't able to receive cookies on making minor modifications to the library. I was trying to use DVWA for the purpose which was running on a VM in my machine. After quite a few hours of debugging, I found this. When the spider library goes to {ip}/dvwa/, it gets a cookie in return and in Location Header, we have login.php. Instead of going to /dvwa/login.php, it rather goes to login.php. Since login.php doesnt exist in the VM, it returns of 404 error code. I realized that url_parse function in the library isnt taking into account the relative URLs perfectly. Thus, I am submitting a patch which I feel will solve the problem. Now, i also noticed that in HTTP library get function, if a link redirects, it fails to take the cookie generated by the previous link. Hence, We need to append the cookies accordingly. I have taken care of the following 3 scenarios: 1. if the response received from the redirect doesnt have any cookie, it becomes equal to the previous cookie. 2. If response received generates a cookie and the name of the cookie is different from the previous cookie, it appends it simply in the option.cookies table. 3. If response received generates a cookie and the name of the cookie is same as the previous redirect cookie, it updates the value in that particular cookie name. I would love to receive feedbacks on this and would request you all to please test the patches. I am also attaching the modifications I did in httpspider library to add cookie support. Pull Requests for the same patches: https://github.com/nmap/nmap/pull/912 https://github.com/nmap/nmap/pull/913 Cheers Vinamra
Attachment:
httpspiderlib.patch
Description:
Attachment:
httplib.patch
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Patches for http.lua and adding support in httpspider.lua Vinamra Bhatia (Jun 19)
- Re: Patches for http.lua and adding support in httpspider.lua nnposter (Jun 19)