Nmap Development mailing list archives
Re: [NSE] http.lua and delimiters
From: jah <jah () zadkiel plus com>
Date: Thu, 02 Oct 2008 03:09:26 +0100
Hi folks, I've spent the evening on the rather arduous task of verifying that my proposed changes to the http library work as expected and comparing the results with the current version. I knocked-up a quick script which uses both versions of the library to perform http.get(), print the status code, each of the header values and the length of the body. I ran wireshark whilst this ran against 142 hosts and then manually verified that the script results matched the wireshark capture. I checked that the response code matched, that all of the headers were captured and that the body length was correct. Of the 142 hosts with port 80 open, the current library failed 34 times and the new version 0 times. Interestingly, the current library most often failed in a rather insignificant way. 21 times it returned a body which was only 2 bytes smaller than it should be (I haven't looked into why, but guess that it's just a missing newline or two). 3 times it merely added newlines whilst dechunking (and not many at that). Twice it omitted all headers (except the status code) and some of the body. The remaining 8 times were entirely missing bodies. So really, it isn't doing that badly. One interesting instance, handled the same way by both versions of the library, was this: HTTP/1.1 401 Authorization Required\r\n Server: NetPort Software 1.1\r\n WWW-Authenticate: Basic realm=""\r\n\r\n HTTP/1.1 200 OK\r\n Server: NetPort Software 1.1\r\n Content-type: text/html\r\n Expires:0\r\n\r\n <HTML><SCRIPT>location.href="userfail.htm";</SCRIPT></HTML> How's that for some response splitting! I visited this host with both firefox and with IE. Firefox displayed the second header and the body as plain text once I'd cancelled the Basic Auth dialog. IE briefly displayed the second but rendered the html tags and proceeded to execute the script. I rather prefer the way firefox (and wireshark and http.lua) handled this and decided it was a NO FAIL. I'm pretty much ready to submit an updated patch as used for this test, but there's just one thing I'm wondering about adding. The header value containing the status code (Status-Line) is currently discarded after the code itself is captured, but I'm tending toward keeping it to be more complete. Also, sometimes they're almost interesting: HTTP/1.1 403 Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. ) Any thoughts? Regards, jah _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [NSE] http.lua and delimiters Sven Klemm (Oct 01)
- Re: [NSE] http.lua and delimiters Sven Klemm (Oct 01)
- <Possible follow-ups>
- Re: [NSE] http.lua and delimiters jah (Oct 01)
- Re: [NSE] http.lua and delimiters jah (Oct 01)
- Re: [NSE] http.lua and delimiters David Fifield (Oct 01)
- Re: [NSE] http.lua and delimiters jah (Oct 02)
- Re: [NSE] http.lua and delimiters David Fifield (Oct 02)
- Re: [NSE] http.lua and delimiters Sven Klemm (Oct 03)
- Re: [NSE] http.lua and delimiters jah (Oct 03)
- Re: [NSE] http.lua and delimiters David Fifield (Oct 03)
- Re: [NSE] http.lua and delimiters David Fifield (Oct 01)