Nmap Development mailing list archives
Re: http-trace fails
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 28 Apr 2010 11:21:05 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 28 Apr 2010 18:13:20 +0200 Patrik Karlsson <patrik () cqure net> wrote:
Hi all, I'm having some trouble with the http-trace script missing hosts that actually have the TRACE method enabled. I've been able to locate the problem and it occurs if the server does not return anything more than the TRACE / HTTP/1.0 line.
<snip>
The current logic only returns a success if the HTTP data portion of the response is different from the original query. An alternative method of detection would be to stuff a header with random contents into the request and look for it in the response:
<snip>
Or the script could simply be corrected to handle the first
request.
Any thoughts? //Patrik
What you're describing isn't failure: the description says it uses TRACE to see if headers are getting modified, not checking if TRACE is supported on the target server. Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJL2GBxAAoJEEQxgFs5kUfuchMP/3dR6D7N4qZONTKO3OCC4Kpb dk6JZGCoukrA3+QIw9BP8VA3EIhDxYBHjY96kX0iYg3fEHqb5cu9vDVjrDO16YoY CHWwdk+t9XC8x5OefB5RMgE5xYVoEXuTRjY5ZlsER710L0lJ0aJTY81Fd14Aw2XX 2M00AtL4mWbkXb/hLJJDKt0RT/6jk9qYF8GCRB1gIMUqFuAt/sN/0gLBPacgRX86 sqrHIT0GymZVw3ggSsjzPVpxACOg2u+/vKZqgPG+RvmvTUeu+Iwgb7tXdvZEiwZM si4RCh10nZTtKgN0N/qw4BLeVZ9flkkB2khRW8Al6JEy27EVrIGp10LHkOTch4/k byhK847nUa80OYBOOsJz+JQAIKqCOGgTMWhNTTwpDvcIggzmDOURSGQwrLntYXwW qORUQRRLsN8OoyxEtgOn0pBdxWhbnRIYwbgG9M8SkkxEZgj1bExSN/afJXxkSAOb wr6+HuCq59o0fQ8akomyZtWQP19gHu9gfmd7zHqbmjo7CsymJnHEsJ3DAaKVE3Xs 8b3YlaDRg3r+mYt7LBBADpq75lY6/nBA/1sqwfevDnJsAIuFyYtSNLCLlpGglTD6 zugQYMu4z3jrQ+MUJcRpX2W+uxMRFT5ntZT4X8gT6YAIhA/lsVknk+mzYFaCB9Pf h/hWrkEJVnspdK3pvZsg =jaYn -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-trace fails Patrik Karlsson (Apr 28)
- Re: http-trace fails Kris Katterjohn (Apr 28)
- Re: http-trace fails Patrik Karlsson (Apr 28)
- Re: http-trace fails Kris Katterjohn (Apr 28)