Nmap Development mailing list archives
Re: [NSE] http-methods update
From: Gyanendra Mishra <anomaly.the () gmail com>
Date: Fri, 29 May 2015 00:15:27 +0530
Hi list, I made a few changes to the update earlier posted. Now I am matching the response to that of a random method in case the response code is between 4xx and 5xx and is not 501 or 405(marked not allowed). If the response code matches then the method is considered not allowed. Anything else is considered allowed. Gyani On Sun, May 24, 2015 at 1:34 AM, Gyanendra Mishra <anomaly.the () gmail com> wrote:
Hi list, I was working on the script idea http-methods update[1]. The script would earlier send an OPTIONS request and parse the 'allow' and 'public' headers to show allowed methods. There are cases in which the (i) OPTIONS method is itself disabled, (ii) contains no 'allow' or 'public' headers if OPTIONS is enabled or (iii) the 'allow'/ 'public' headers don't contain all allowed methods. This updated script[2] now marks HEAD, GET, POST, OPTIONS as SAFE and PUT, DELETE, CONNECT as UNSAFE. It tests all the SAFE methods not in the 'allow'/'public' headers one by one by sending generic requests and adds them to the allowed methods list if the response is anything other than status codes 501 and 405. To also test all the UNSAFE methods one can set test-all-unsafe to true. This is the added script argument as mentioned in the ideas page. Please comment on the implementation. Is there something more that I need to look at that I might have missed? TODOs : * Add @xmloutput. * Not recheck OPTIONS method ever. * Fix documentation to include recent changes. * Comment code to explain changes. Gyani [1]https://secwiki.org/w/Nmap/Script_Ideas#http-methods_update [2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-methods update Gyanendra Mishra (May 23)
- Re: [NSE] http-methods update Gyanendra Mishra (May 28)
- Re: [NSE] http-methods update Daniel Miller (Jun 14)
- Re: [NSE] http-methods update Gyanendra Mishra (Jun 20)
- Re: [NSE] http-methods update Daniel Miller (Jun 14)
- Re: [NSE] http-methods update Gyanendra Mishra (May 28)