Re: [NSE] http.lua and delimiters

[jah <jah () zadkiel plus com>]

Hi folks,

I've spent the evening on the rather arduous task of verifying that my
proposed changes to the http library work as expected and comparing the
results with the current version.  I knocked-up a quick script which
uses both versions of the library to perform http.get(), print the
status code, each of the header values and the length of the body.  I
ran wireshark whilst this ran against 142 hosts and then manually
verified that the script results matched the wireshark capture.  I
checked that the response code matched, that all of the headers were
captured and that the body length was correct.

Of the 142 hosts with port 80 open, the current library failed 34 times
and the new version 0 times.
Interestingly, the current library most often failed in a rather
insignificant way. 21 times it returned a body which was only 2 bytes
smaller than it should be (I haven't looked into why, but guess that
it's just a missing newline or two).  3 times it merely added newlines
whilst dechunking (and not many at that).  Twice it omitted all headers
(except the status code) and some of the body.  The remaining 8 times
were entirely missing bodies.
So really, it isn't doing that badly.

One interesting instance, handled the same way by both versions of the
library, was this:

HTTP/1.1 401 Authorization Required\r\n
Server: NetPort Software 1.1\r\n
WWW-Authenticate: Basic realm=""\r\n\r\n

HTTP/1.1 200 OK\r\n
Server: NetPort Software 1.1\r\n
Content-type: text/html\r\n
Expires:0\r\n\r\n

<HTML><SCRIPT>location.href="userfail.htm";</SCRIPT></HTML>

How's that for some response splitting!  I visited this host with both
firefox and with IE.  Firefox displayed the second header and the body
as plain text once I'd cancelled the Basic Auth dialog.  IE briefly
displayed the second but rendered the html tags and proceeded to execute
the script.  I rather prefer the way firefox (and wireshark and
http.lua) handled this and decided it was a NO FAIL.

I'm pretty much ready to submit an updated patch as used for this test,
but there's just one thing I'm wondering about adding.  The header value
containing the status code (Status-Line) is currently discarded after
the code itself is captured, but I'm tending toward keeping it to be
more complete.  Also, sometimes they're almost interesting:
HTTP/1.1 403 Forbidden ( The server denied the specified Uniform
Resource Locator (URL). Contact the server administrator.  )

Any thoughts?

Regards,

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org