Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New script: http-headers.nse

From: Fyodor <fyodor () insecure org>
Date: Thu, 27 Aug 2009 01:06:05 -0700
On Tue, Aug 25, 2009 at 06:37:48PM -0500, Ron wrote:

I went ahead and checked this in, with the change suggested by Patrick. 
Let me know if there are any issues!


Thanks Ron.  At first I thought the usefulness of this was a bit
dubious considering how easy it is to do manually with ncat.  Then I
though, "well, this makes it easy for SSL servers too", but actually
that is equally easy with Ncat.  But after further contemplation, I do
support the inclusion overall as http is an incredibly important
protocol and many of these headers can actually be quite useful.  I
have a few comments/questions though:

o Why do a GET request instead of HEAD?  I'm not saying we should
  switch to HEAD, just wondering about your reasoning.  After all,
  HEAD exists for basically this exact purpose.  And it is slightly
  less intrusive on the server and does not waste bandwidth giving us
  content the script doesn't even look at.

o The script loses the capitalization of the headers.  I guess that is
  an http.get limitation.  If it was just as easy, I'd prefer to keep
  the capitalization in http-headers.  But it may not be worth adding
  some sort of option to http.get.

o The script also seems to lose the header order (presumably due to
  http.get API).  If we're going to lose the original order, we should
  probably just sort them rather than print them out semi-randomly.
  Or they could be given in a canonical order specified in the script
  which tries to group similar headers and also print more important
  ones first.  Any which aren't specified in the script would be
  alphebetized at the end.

o It would be great to have an NSE arg for specifying the path rather
  than always grabbing /.  Sometimes I want to see the last modified
  date or content type or some other values for a specific URL.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: