Re: [NSE] Avoid caching http-form-fuzzer results?

[Patrick Donnelly <batrick () batbytes com>]

On Fri, Jul 6, 2012 at 5:47 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
> List,
>
> I was running a scan with http-form-fuzzer, and got to thinking about the
> http cache. Not long into the scan, I had hit the maximum cache size. Since
> http-form-fuzzer sends random strings, the chance that something else will
> need to get the cached response for those requests is very low. I propose
> something like this patch:
> > index a43d0af..c5914cc 100644
> > --- a/scripts/http-form-fuzzer.nse
> > +++ b/scripts/http-form-fuzzer.nse
> > @@ -157,7 +157,7 @@ local function fuzz_form(form, minlen, maxlen, host,
> > port, path)
> >    if form["method"]=="post" then
> >      sending_function = function(data) return http.post(host, port,
> > form_submission_path, nil, nil, data) end
> >    else
> > -    sending_function = function(data) return http.get(host, port,
> > form_submission_path..generate_get_string(data)) end
> > +    sending_function = function(data) return http.get(host, port,
> > form_submission_path..generate_get_string(data), {no_cache=true}) end
> >    end
> >
> >    for _,field in ipairs(form["fields"]) do
>
>
> Post requests don't need changing, since they are not (and should not be)
> cached anyway. I'm not sure if this is the best way to go about making this
> change, so I would welcome any input or other modifications.

This is a good change. Please apply it Daniel.

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/