Nmap Development mailing list archives
Re: [NSE] http-verb-tamper
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 4 Nov 2011 21:49:22 +0100
On Fri, Nov 4, 2011 at 2:55 PM, Hani Benhabiles <kroosec () gmail com> wrote:
Hi list, Attached is a NSE script to check for authentication bypass via HTTP verb tampering. description = [[ Checks if the target is vulnerable to authentication bypass via HTTP verb tampering. It works by checking if a target that requires authentication or redirects to a login page could be bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but with no returned response body. For more information, see: * CVE-2010-738 https://bugzilla.redhat.com/show_bug.cgi?id=574105 * http://www.imperva.com/resources/glossary/http_verb_tampering.html * https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 ]] Hope it helps. Cheers, -- M. Hani Benhabiles Blog: http://kroosec.blogspot.com Twitter: @kroosec _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi Hani, Thanks for submitting this script! I had a quick look at it and I noticed that the script argument read in the action method does not reflect the one documented in the usage. Also, I'm not sure how widespread this vulnerability is and if it would make more sense to target the reported JBoss vulnerability instead? Or maybe have two script, one generic like the one you submitted, and one that targets CVE-2010-738 specifically. While I appreciate that the generic script could be sued to detect CVE-2010-738 I think it would be better to be able to do so without needing to supply the path. What do other people on the list think? //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-verb-tamper Hani Benhabiles (Nov 04)
- Re: [NSE] http-verb-tamper Patrik Karlsson (Nov 04)
- Re: [NSE] http-verb-tamper Hani Benhabiles (Nov 04)
- Re: [NSE] http-verb-tamper David Fifield (Nov 06)
- Re: [NSE] http-verb-tamper Hani Benhabiles (Nov 07)
- Message not available
- Message not available
- Re: [NSE] http-verb-tamper Patrik Karlsson (Nov 08)
- Re: [NSE] http-verb-tamper Djalal Harouni (Nov 09)
- Re: [NSE] http-verb-tamper Hani Benhabiles (Nov 04)
- Re: [NSE] http-verb-tamper Patrik Karlsson (Nov 04)