Re: [NSE] http-git.nse - false positive

[Tom Sellers <nmap () fadedcode net>]

On 3/5/2013 3:38 PM, David Fifield wrote:
> On Sat, Mar 02, 2013 at 09:46:03AM -0600, Tom Sellers wrote:
> >   http-git.nse will generate false positives against any HTTP service that
> > returns status code 200 when '.git/HEAD' is requested.  There are quite a
> > few "broken" web services that will return 200 to any request.
> >
> > The logic around line 97 should probably be reworked to match valid content
> > of the .git/HEAD file.  All of the copies of this file that I could find seem to
> > contain 'ref: refs/heads/master' but I don't know that this is representative
> > of what the file could contain.
>
> I was able to get contents of the file looking like any of these,
> depending on what branch I have checked out:
> ref: refs/heads/master
> ref: refs/heads/tmp
> 5b050a66d39b746a7ddcc0a2fb6272b99eb0018c
>
> Here are some docs:
> http://git-scm.com/book/ch9-3.html#The-HEAD
> https://www.kernel.org/pub/software/scm/git/docs/git-symbolic-ref.html
>
> How about checking that the first line begins with "ref: " or else is a
> 160-bit hex string? Can you do it?

The attached patch has been tested against valid HEAD files (as specified above),
non-hosting sites and sites that report 200 to everything.

Tom

Attachment: http-git.diff
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/