Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Feb 2010 12:25:37 -0700
On Sat, Jan 30, 2010 at 09:11:01PM +0100, Bernd Stroessenreuther wrote:
Hi David,Thank you for the update. I want to add the script, but first I want to know if you are willing to license the script like the other Nmap scripts, license = "Same as Nmap--See http://nmap.org/book/man-legal.html"I do like very much the freedom the GPL gives and enforces. So I did put it under GPL at first. I'm not only happy if someone else has the possibility to relicense the code e. g. under a commercial license. But in the end I think it is the best solution to have this script in the official release. And because of this, it is clear it needs the same license as the other nmap components. So yes, I license it under the terms of http://nmap.org/book/man-legal.html
Thanks. This is committed in r16661.
Fyodor had some ideas for enhancement of the script, such as making it default and only printing "interesting" methods in non-verbose mode.Even if I'm not sure why some methods should be more interesting then others, I'm prying. You surely know much better then I, what nmap users find interesting or useful...
The idea here is to make the script default, because if a server supports DELETE or something, someone running with -sC probably wants to see that. But for ordinary methods like GET and HEAD, the user probably doesn't want to see those for every server. With one level of -v, the script would print out all methods. Scripts that are listed by name always get an increase of one -v automatically, so if you run --script=http-methods, you will see all the methods for every server. Here are some examples: $ nmap -sC scanme.nmap.org -p 80 (No http-methods output.) $ nmap --script=safe scanme.nmap.org -p 80 (No http-methods output.) $ nmap -sC -v scanme.nmap.org -p 80 |_http-methods: OPTIONS / request returned: GET,HEAD,POST,OPTIONS,TRACE $ nmap --script=http-methods scanme.nmap.org -p 80 |_http-methods: OPTIONS / request returned: GET,HEAD,POST,OPTIONS,TRACE It's like, we want something like an http-dangerous-methods script, which only highlights methods you don't expect to see on every web server. But you also want a script to just give you a plain report of what options the server supports. Maybe this script can do both? What do you think. I just tried the script against the CouchDB server, and got the result |_http-methods: OPTIONS / request returned: GET,HEAD This despite the fact that the server doesn't even support OPTION, as Ncat reports: OPTIONS / HTTP/1.0 HTTP/1.0 405 Method Not Allowed Server: CouchDB/0.10.1 (Erlang OTP/R13B) Date: Mon, 01 Feb 2010 19:19:24 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 64 Cache-Control: must-revalidate Allow: GET,HEAD {"error":"method_not_allowed","reason":"Only GET,HEAD allowed"} Good job! David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 02)
- Re: NSE script HTTPallowedMethods.nse David Fifield (Jan 12)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 27)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse David Fifield (Jan 29)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 30)
- Re: NSE Script http-methods.nse David Fifield (Feb 01)
- Re: NSE Script http-methods.nse David Fifield (Feb 18)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Feb 20)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE script HTTPallowedMethods.nse David Fifield (Jan 12)