Nmap Development mailing list archives
[NSE] http-verb-tamper
From: Hani Benhabiles <kroosec () gmail com>
Date: Fri, 4 Nov 2011 14:55:09 +0100
Hi list, Attached is a NSE script to check for authentication bypass via HTTP verb tampering. description = [[ Checks if the target is vulnerable to authentication bypass via HTTP verb tampering. It works by checking if a target that requires authentication or redirects to a login page could be bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but with no returned response body. For more information, see: * CVE-2010-738 https://bugzilla.redhat.com/show_bug.cgi?id=574105 * http://www.imperva.com/resources/glossary/http_verb_tampering.html * https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 ]] Hope it helps. Cheers, -- M. Hani Benhabiles Blog: http://kroosec.blogspot.com Twitter: @kroosec
Attachment:
http-verb-tamper.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-verb-tamper Hani Benhabiles (Nov 04)
- Re: [NSE] http-verb-tamper Patrik Karlsson (Nov 04)
- Re: [NSE] http-verb-tamper Hani Benhabiles (Nov 04)
- Re: [NSE] http-verb-tamper David Fifield (Nov 06)
- Re: [NSE] http-verb-tamper Hani Benhabiles (Nov 07)
- Message not available
- Message not available
- Re: [NSE] http-verb-tamper Patrik Karlsson (Nov 08)
- Re: [NSE] http-verb-tamper Djalal Harouni (Nov 09)
- Re: [NSE] http-verb-tamper Hani Benhabiles (Nov 04)
- Re: [NSE] http-verb-tamper Patrik Karlsson (Nov 04)