Re: http-brute fails on json-rpc

[David Fifield <david () bamsoftware com>]

On Mon, Mar 21, 2011 at 09:57:20PM +0200, Toni Ruottu wrote:
> I tested http-brute script against a json-rpc service. The script
> failed to detect the valid credentials. It tried the correct
> credentials against the daemon, but the payload was an invalid
> json-rpc message so the daemon returned code 500 (~parse error). I
> have attached a patch that fixes the problem by adding code 500 to
> indicate success. The original code has a comment that discusses the
> problem. The comment mentions that code 500 is a likely candidate for
> being added in the future. If the patch is applied the comment should
> probably be updated as well, but I left it as it is for now.
>
> There may still be some other codes that deserve to be among the ones
> that indicate success. We could create a heuristic that tests a few
> long random strings against a service to see which codes are returned
> on failure. We could then interpret any other codes as success. At
> least we could print such candidates to debugging output.

Thanks, this is a good suggestion. I didn't see a reason to allow 500
but prohibit other 5xx codes, so I changed it to allow all of them (I
expect that 500 is the most common).

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/