Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-methods update

From: Daniel Miller <bonsaiviking () gmail com>
Date: Sun, 14 Jun 2015 23:08:51 -0500
Gyani,

This is looking good. Here are a few points of feedback:

1. The script-args should still be referred to by their fully-qualified
names. Even though --script-args url-path=/ works, the NSEdoc should call
the argument "http-methods.url-path" in the @args and @usage sections.

2. I don't think we need to keep the "See
http://nmap.org/nsedoc/scripts/http-methods.html"; line in the output. There
is no information there that is not in the script file itself, and we
should be able to expect users to find the documentation if they have
questions about output.

3. Instead of the odd line using :sub and :find to strip the newline from
the status line, use str:gsub('\r?\n', ''), since the line could also
contain \r

4. Please add structured (XML) output by separating headings ("Supported
Methods") from data ("GET", "HEAD", etc.).

Dan

On Thu, May 28, 2015 at 1:45 PM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:


Hi list,

I made a few changes to the update earlier posted. Now I am matching the
response to that of a random method in case the response code is between
4xx and 5xx and is not 501 or 405(marked not allowed). If the response code
matches then the method is considered not allowed. Anything else is
considered allowed.

Gyani

On Sun, May 24, 2015 at 1:34 AM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:


Hi list,

I was working on the script idea http-methods update[1]. The script would
earlier send an OPTIONS request and parse the 'allow' and 'public' headers
to show allowed methods. There are cases in which the (i) OPTIONS method is
itself disabled, (ii) contains no 'allow' or 'public' headers if OPTIONS is
enabled or (iii) the 'allow'/ 'public' headers don't contain all allowed
methods.

This updated script[2]  now marks HEAD, GET, POST, OPTIONS as SAFE and
PUT, DELETE, CONNECT as UNSAFE. It tests all the SAFE methods not in the
'allow'/'public'  headers one by one by sending generic requests and adds
them to the allowed methods list if the response is anything other than
status codes 501 and 405. To also test all the UNSAFE methods one can set
test-all-unsafe to true. This is the added script argument as mentioned in
the ideas page.

Please comment on the implementation. Is there something more that I need
to look at that I might have missed?

TODOs :
 * Add @xmloutput.
 * Not recheck OPTIONS method ever.
 * Fix documentation to include recent changes.
 * Comment code to explain changes.

Gyani

[1]https://secwiki.org/w/Nmap/Script_Ideas#http-methods_update
[2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse




_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: