Nmap Development mailing list archives
Re: Built-in authentication for http.lua
From: David Fifield <david () bamsoftware com>
Date: Sun, 25 Jul 2010 17:28:48 -0600
On Wed, Jul 21, 2010 at 11:11:31PM -0600, David Fifield wrote:
The http library doesn't have support for HTTP authentication. The one script that needs it, http-auth, implements it itself, parsing the WWW-Authenticate header and creating a credentials string with the base64 library. Here is a patch to make this automatic through the http library. You use it like this: http.get(host, port, path, { auth = { username = "username", password = "password" } }) In other words, it just adds a new key to the "options" table. Although it's not necessary for Basic authentication, I added code to parse the WWW-Authenticate header, the logic of which is copied from Ncat. This replaces the pcre-using code in http-auth, and will also be necessary to support Digest authentication. Speaking of Digest, the current implementation wouldn't work well for that. With Basic you can fire and forget--just send username:password in the clear with every request. With Digest, you have to make an initial unauthenticated request to get the nonce, then retry the request. A server can offer both Basic and Digest, and if you blindly send Basic credentials in your first request, you've just disclosed your password unnecessarily. I struggled for a while trying to make the http library try the request unauthenticated first, then retry if authentication is required. I found it hard to fit in with the http functions we have already. So I decided on this implementation, the interface of which can remain the same even if we move to a retrying model.
I committed this today in r19231. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Built-in authentication for http.lua David Fifield (Jul 21)
- Re: Built-in authentication for http.lua David Fifield (Jul 25)
- Re: Built-in authentication for http.lua Patrik Karlsson (Jul 31)
- Re: Built-in authentication for http.lua David Fifield (Aug 12)
- Re: Built-in authentication for http.lua Patrick Donnelly (Aug 13)
- Re: Built-in authentication for http.lua Patrick Donnelly (Aug 13)
- Re: Built-in authentication for http.lua David Fifield (Sep 22)
- Re: Built-in authentication for http.lua Patrick Donnelly (Sep 22)
- Re: Built-in authentication for http.lua David Fifield (Sep 23)
- Re: Built-in authentication for http.lua Patrik Karlsson (Jul 31)
- Re: Built-in authentication for http.lua David Fifield (Jul 25)