Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: David Fifield <david () bamsoftware com>
Date: Tue, 2 Mar 2010 15:48:45 -0700
On Mon, Feb 22, 2010 at 04:37:47PM -0800, Fyodor wrote:
On Mon, Feb 22, 2010 at 02:43:35PM -0700, David Fifield wrote:On Sun, Feb 21, 2010 at 12:49:23AM +0100, Daniel Roethlisberger wrote:David Fifield <david () bamsoftware com> 2010-02-18: http://www.owasp.org/index.php/Cross_Site_TracingOkay, sounds good. I was not aware of that possibility. I removed TRACE from the uninteresting set.I agree that TRACE can be interesting, and probably is worth noting. But we need to take extra care in the output of this script, as (per Bernd's research) it will now output on more than half of all web servers encountered. Right now it looks like this against scanme.nmap.org: 80/tcp open http Apache httpd 2.2.3 ((CentOS)) |_http-methods: GET,HEAD,POST,OPTIONS,TRACE |_html-title: Go ahead and ScanMe! It takes a pretty experienced user to get anything useful out of the http-methods line here. I think most users would immediately gloss over that line, rather than thinking "uh-oh, that list contains TRACE which can be a vector for defeating httpOnly cookies on systems with XSS vulns). If TRACE triggered the output, I think we should make that clear and also provide a reference to the issue. Speaking of which, here is a useful OWASP page which describes the risks of various HTTP methods: http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 I'm not sure what the best output would be, but one idea would be to only include the current (full list of methods) line in verbose mode, but (even in non-verbose) list the potentially risky methods supported and provide a link to the nsedoc page for more information. Of course the nsedoc would have to be updated to give more information about what methods are dangerous and why. Much of that information is on the Owasp Testing_for_HTTP_Methods_and_XST page (which the nsedoc should link to). For example: | http-methods: Supports potentially risky methods: TRACE, DELETE |_ See: http://nmap.org/nsedoc/scripts/http-methods.html
I made changes and this is how it works now: $ nmap -p 80 -sC www.google.com www.apache.org www.bamsoftware.com Nmap scan report for www.google.com (74.125.19.99) PORT STATE SERVICE 80/tcp open http |_http-methods: No Allow or Public header in OPTIONS response (status code 400) Nmap scan report for www.apache.org (192.87.106.226) PORT STATE SERVICE 80/tcp open http | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html Nmap scan report for www.bamsoftware.com (69.164.193.231) PORT STATE SERVICE 80/tcp open http $ nmap -p 80 -sC -v www.google.com www.apache.org www.bamsoftware.com Nmap scan report for www.google.com (74.125.19.105) PORT STATE SERVICE 80/tcp open http |_http-methods: No Allow or Public header in OPTIONS response (status code 400) Nmap scan report for www.apache.org (192.87.106.226) PORT STATE SERVICE 80/tcp open http | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html Nmap scan report for www.bamsoftware.com (69.164.193.231) PORT STATE SERVICE 80/tcp open http |_http-methods: GET HEAD POST OPTIONS Does that look good? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE Script http-methods.nse, (continued)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Feb 20)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Mar 02)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Mar 05)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Mar 05)
- Re: NSE Script http-methods.nse Vlatko Kosturjak (Feb 21)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)