Nmap Development mailing list archives
Re: [NSE] Avoid caching http-form-fuzzer results?
From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 06 Jul 2012 17:08:11 -0500
On 06/07/2012 04:47 p.m., Daniel Miller wrote:
+1. The patch will fix this issue. In some related news, I'll be submitting a patch this weekend to add the possibility of disabling cache by setting http-max-cache-size=0. However, this script needs the no_cache directive so users won't have to set an additional argument to use it.List,I was running a scan with http-form-fuzzer, and got to thinking about the http cache. Not long into the scan, I had hit the maximum cache size. Since http-form-fuzzer sends random strings, the chance that something else will need to get the cached response for those requests is very low. I propose something like this patch:index a43d0af..c5914cc 100644 --- a/scripts/http-form-fuzzer.nse +++ b/scripts/http-form-fuzzer.nse@@ -157,7 +157,7 @@ local function fuzz_form(form, minlen, maxlen, host, port, path)if form["method"]=="post" thensending_function = function(data) return http.post(host, port, form_submission_path, nil, nil, data) endelse- sending_function = function(data) return http.get(host, port, form_submission_path..generate_get_string(data)) end + sending_function = function(data) return http.get(host, port, form_submission_path..generate_get_string(data), {no_cache=true}) endend for _,field in ipairs(form["fields"]) doPost requests don't need changing, since they are not (and should not be) cached anyway. I'm not sure if this is the best way to go about making this change, so I would welcome any input or other modifications.Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Cheers. -- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Avoid caching http-form-fuzzer results? Daniel Miller (Jul 06)
- Re: [NSE] Avoid caching http-form-fuzzer results? Paulino Calderon (Jul 06)
- Re: [NSE] Avoid caching http-form-fuzzer results? Peter O (Jul 06)
- Re: [NSE] Avoid caching http-form-fuzzer results? Patrick Donnelly (Jul 06)
- Re: [NSE] Avoid caching http-form-fuzzer results? Daniel Miller (Jul 06)
- Re: [NSE] Avoid caching http-form-fuzzer results? Patrick Donnelly (Jul 07)
- Re: [NSE] Avoid caching http-form-fuzzer results? Daniel Miller (Jul 07)
- Re: [NSE] Avoid caching http-form-fuzzer results? Daniel Miller (Jul 06)