Nmap Development mailing list archives

Re: http-methods & http-trace NSE Script Enhancement Ideas

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Wed, 23 May 2012 18:41:06 +0300

Does this affect http-cors too?

On Wednesday, 23 May 2012, Paulino Calderon wrote:

On 23/05/2012 07:17 a.m., King Thorin wrote:

I was just looking through some online docs and some nmap results. I've
never seen a server that includes public or allow header(s) on a
redirect response [maybe my experience is limited?]. It seems to me that
the http-methods NSE should follow
redirects (HTTP 301, 302, 303) in order to perform the necessary OPTIONS
 request on a page/resource that's providing a HTTP 200.


Perhaps similar to the http-trace script:
http://nmap.org/svn/scripts/**http-trace.nse<http://nmap.org/svn/scripts/http-trace.nse>
Though
 even that only follows one 301 or 302 redirect.

Further, maybe both scripts should follow a configurable
 # of redirects (default 2, 3, 4 and configurable further) looking for a
 HTTP 200&  handle 301, 302, and 303 redirect codes.


Reference:
http://www.w3.org/Protocols/**rfc2616/rfc2616-sec10.html<http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html>

I've emailed the devs of both scripts without any luck.



I'd be glad to provide the necessary changes, if someone can simply fill
me in as to how they should be submitted.


______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/

I think adding a configuration value for redirects will work better in
some cases. I would say most of the libraries follow 2-3 redirects but no
more than that. In your experience, what would be a good default?

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas Paulino Calderon (May 23)
  - Re: http-methods & http-trace NSE Script Enhancement Ideas Toni Ruottu (May 23)
    - RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 23)
    - Re: http-methods & http-trace NSE Script Enhancement Ideas Patrik Karlsson (May 23)
    - RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 23)
- Re: http-methods & http-trace NSE Script Enhancement Ideas David Fifield (May 24)
  - RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 25)
    - Re: http-methods & http-trace NSE Script Enhancement Ideas Patrik Karlsson (May 25)
    - RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 25)
    - Re: http-methods & http-trace NSE Script Enhancement Ideas Patrik Karlsson (May 25)
    - RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 27)
    - RE: http-methods & http-trace NSE Script Enhancement Ideas King Thorin (May 30)

(Thread continues...)