Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: David Fifield <david () bamsoftware com>
Date: Tue, 23 Feb 2010 12:45:18 -0700
On Tue, Feb 23, 2010 at 08:26:21PM +0100, Bernd Stroessenreuther wrote:
That has some good ideas. I like the idea of using a nonexistent method for enumeration. You can use that to get the methods from an Ncat HTTP proxy: $ ncat -l --proxy-type http $ ncat localhost BOGUS http://test/ HTTP/1.0 HTTP/1.0 405 Method Not Allowed Allow: CONNECT, GET, HEAD, POST $ ncat localhost OPTIONS http://test/ HTTP/1.0 HTTP/1.0 405 Method Not Allowed Allow: CONNECT, GET, HEAD, POSTUsing a non existant method has - from my point of view - one major disadvantage: A reverse proxy might notice this invalid request and might drop it, e. g. giving a 403 or something else. You might not even get trough to the target system. A valid HTTP method like OPTIONS has much better chances to get through. And I think currently more and more companies build up revese proxies in front of their web applications to better protect them.
We could possibly do both. But we're just brainstorming here, none of this has to happen. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE Script http-methods.nse, (continued)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Mar 02)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Mar 05)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Mar 05)
- Re: NSE Script http-methods.nse Vlatko Kosturjak (Feb 21)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)