Re: Enhanced Version of HTTPtrace.nse

[jah <jah () zadkiel plus com>]

On 13/12/2007 23:43, Kris Katterjohn wrote:
> Rob Nicholls wrote:
>   
> > Evening,
> >
> > Up until now, I'd assumed that the HTTPtrace script was used to detect
> > (and I don't mean relying on what OPTIONS * says) servers that supported
> > TRACE requests (which is bad practice). But I was tesing the script today
> > against a server that I knew had it enabled, and it didn't say anything.
> > So I've added support to Kris' script to try and return fairly accurately
> > information about whether TRACE is or isn't enabled (or inconclusive
> > IMHO), based on the behaviour that I remember seeing on servers in the
> > past. I think the logic is correct (see comments in the code for why I'm
> > doing what I'm doing, any further suggestions would be appreciated), but I
> > haven't been able to test all the scenarios yet as I only started working
> > on it earlier today.
> >
> >     
>
> Hi Rob!
>
> Printing that it is enabled but nothing changed is something that I 
> would consider if -v or -d is set (nmap.verbosity or nmap.debugging) 
> since that is something that can be useful at times.  However, printing 
> that it's not enabled is too much output IMO, and I'm pretty sure Fyodor 
> will agree.
>
> I hate that you wrote all that up with great comments only for me to say 
> this, but I just don't think there's a good reason to say that it's not 
> enabled.  But I've been wrong plenty of times before!
>
> Comments? :)
>   
I've been wondering the same thing about what output to give from 
scripts.  I reckon there are times when you'll be running a given script 
to see if the result is true and there'll be other times when you want 
to know if it's false.  And probably sometimes you'll want to know 
either way.

Perhaps verbosity /is/ the key.

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org