Re: Built-in authentication for http.lua

[David Fifield <david () bamsoftware com>]

On Wed, Jul 21, 2010 at 11:11:31PM -0600, David Fifield wrote:
> The http library doesn't have support for HTTP authentication. The one
> script that needs it, http-auth, implements it itself, parsing the
> WWW-Authenticate header and creating a credentials string with the
> base64 library.
>
> Here is a patch to make this automatic through the http library. You use
> it like this:
>
>       http.get(host, port, path, { auth = { username = "username", password = "password" } })
>
> In other words, it just adds a new key to the "options" table.
>
> Although it's not necessary for Basic authentication, I added code to
> parse the WWW-Authenticate header, the logic of which is copied from
> Ncat. This replaces the pcre-using code in http-auth, and will also be
> necessary to support Digest authentication.
>
> Speaking of Digest, the current implementation wouldn't work well for
> that. With Basic you can fire and forget--just send username:password in
> the clear with every request. With Digest, you have to make an initial
> unauthenticated request to get the nonce, then retry the request. A
> server can offer both Basic and Digest, and if you blindly send Basic
> credentials in your first request, you've just disclosed your password
> unnecessarily.
>
> I struggled for a while trying to make the http library try the request
> unauthenticated first, then retry if authentication is required. I found
> it hard to fit in with the http functions we have already. So I decided
> on this implementation, the interface of which can remain the same even
> if we move to a retrying model.

I committed this today in r19231.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/