Nmap Development mailing list archives
RE: [NSE] Changes to http-auth
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Mon, 19 Dec 2011 07:47:35 -0000
My guess is that the charset bit of the string might be causing problems with the parsing, as all the rest are quoted string values? A quick look at http.lua suggests to me that we assume that the value is a quoted string as per the RFC. http://www.ietf.org/rfc/rfc2617.txt suggests that it should either be a token or a quoted string. I suspect we need to make read_auth_challenge or read_token_or_quoted_string a bit more flexible to cope with non-compliant headers? Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Patrik Karlsson Sent: 19 December 2011 07:02 To: Patrik Karlsson; nmap-dev Subject: Re: [NSE] Changes to http-auth On Mon, Dec 19, 2011 at 1:22 AM, David Fifield <david () bamsoftware com>wrote:
On Sat, Dec 17, 2011 at 10:46:15PM +0100, Patrik Karlsson wrote:Hi all, I've reworked the http-auth to handle multiple Authentication headersbeingreturned from the server.Didn't it work that way before? The http library should join together multiple headers with a comma, and http.parse_www_authenticate should know how to deal with that. Manually parsing answer.rawheader seems wrong--http.parse_header does that already, including some tricky cases. I tested locally against a dummy server offering Basic and Digest and it worked before your patch. What did you run into that caused you to have to change it? ncat -l 8080 --sh-exec 'cat auth.http' -k David Fifield
Ok, I reverted my patch just now, but it doesn't work anymore for me, this is what I get: | Server returned status 401 but the WWW-Authenticate header could not | be parsed. |_WWW-Authenticate: Negotiate, NTLM, Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1e4e256b4afb7f89b4eb43b241bb ecc019ac8910c0451d75eda21f0a01b277e4dd0ec235788fb373269ed29fa7da630b1",chars et=utf-8,realm=" example.com", Basic realm="example.com" It seems to fail in http.parse_www_authenticate as far as I can tell. I'll see if I can look into it later. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Changes to http-auth Patrik Karlsson (Dec 17)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 19)
- Re: [NSE] Changes to http-auth David Fifield (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)