Re: NSE Script http-methods.nse

[David Fifield <david () bamsoftware com>]

On Mon, Feb 22, 2010 at 04:37:47PM -0800, Fyodor wrote:
> On Mon, Feb 22, 2010 at 02:43:35PM -0700, David Fifield wrote:
> > On Sun, Feb 21, 2010 at 12:49:23AM +0100, Daniel Roethlisberger wrote:
> > > David Fifield <david () bamsoftware com> 2010-02-18:
> > >
> > > http://www.owasp.org/index.php/Cross_Site_Tracing
> >
> > Okay, sounds good. I was not aware of that possibility. I removed TRACE
> > from the uninteresting set.
>
> I agree that TRACE can be interesting, and probably is worth noting.
> But we need to take extra care in the output of this script, as (per
> Bernd's research) it will now output on more than half of all web
> servers encountered.  Right now it looks like this against
> scanme.nmap.org:
>
> 80/tcp    open   http    Apache httpd 2.2.3 ((CentOS))
> |_http-methods: GET,HEAD,POST,OPTIONS,TRACE
> |_html-title: Go ahead and ScanMe!
>
> It takes a pretty experienced user to get anything useful out of the
> http-methods line here.  I think most users would immediately gloss
> over that line, rather than thinking "uh-oh, that list contains TRACE
> which can be a vector for defeating httpOnly cookies on systems with
> XSS vulns).  If TRACE triggered the output, I think we should make
> that clear and also provide a reference to the issue.
>
> Speaking of which, here is a useful OWASP page which describes the
> risks of various HTTP methods:
>
> http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
>
> I'm not sure what the best output would be, but one idea would be to
> only include the current (full list of methods) line in verbose mode,
> but (even in non-verbose) list the potentially risky methods supported
> and provide a link to the nsedoc page for more information.
>
> Of course the nsedoc would have to be updated to give more information
> about what methods are dangerous and why.  Much of that information is
> on the Owasp Testing_for_HTTP_Methods_and_XST page (which the nsedoc
> should link to).  For example:
>
> | http-methods: Supports potentially risky methods: TRACE, DELETE
> |_   See: http://nmap.org/nsedoc/scripts/http-methods.html

I made changes and this is how it works now:

$ nmap -p 80 -sC www.google.com www.apache.org www.bamsoftware.com
Nmap scan report for www.google.com (74.125.19.99)
PORT   STATE SERVICE
80/tcp open  http
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

Nmap scan report for www.apache.org (192.87.106.226)
PORT   STATE SERVICE
80/tcp open  http
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html

Nmap scan report for www.bamsoftware.com (69.164.193.231)
PORT   STATE SERVICE
80/tcp open  http


$ nmap -p 80 -sC -v www.google.com www.apache.org www.bamsoftware.com
Nmap scan report for www.google.com (74.125.19.105)
PORT   STATE SERVICE
80/tcp open  http
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)

Nmap scan report for www.apache.org (192.87.106.226)
PORT   STATE SERVICE
80/tcp open  http
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html

Nmap scan report for www.bamsoftware.com (69.164.193.231)
PORT   STATE SERVICE
80/tcp open  http
|_http-methods: GET HEAD POST OPTIONS


Does that look good?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/