Nmap Development mailing list archives
Re: [NSE] http-methods update
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sun, 14 Jun 2015 23:08:51 -0500
Gyani, This is looking good. Here are a few points of feedback: 1. The script-args should still be referred to by their fully-qualified names. Even though --script-args url-path=/ works, the NSEdoc should call the argument "http-methods.url-path" in the @args and @usage sections. 2. I don't think we need to keep the "See http://nmap.org/nsedoc/scripts/http-methods.html" line in the output. There is no information there that is not in the script file itself, and we should be able to expect users to find the documentation if they have questions about output. 3. Instead of the odd line using :sub and :find to strip the newline from the status line, use str:gsub('\r?\n', ''), since the line could also contain \r 4. Please add structured (XML) output by separating headings ("Supported Methods") from data ("GET", "HEAD", etc.). Dan On Thu, May 28, 2015 at 1:45 PM, Gyanendra Mishra <anomaly.the () gmail com> wrote:
Hi list, I made a few changes to the update earlier posted. Now I am matching the response to that of a random method in case the response code is between 4xx and 5xx and is not 501 or 405(marked not allowed). If the response code matches then the method is considered not allowed. Anything else is considered allowed. Gyani On Sun, May 24, 2015 at 1:34 AM, Gyanendra Mishra <anomaly.the () gmail com> wrote:Hi list, I was working on the script idea http-methods update[1]. The script would earlier send an OPTIONS request and parse the 'allow' and 'public' headers to show allowed methods. There are cases in which the (i) OPTIONS method is itself disabled, (ii) contains no 'allow' or 'public' headers if OPTIONS is enabled or (iii) the 'allow'/ 'public' headers don't contain all allowed methods. This updated script[2] now marks HEAD, GET, POST, OPTIONS as SAFE and PUT, DELETE, CONNECT as UNSAFE. It tests all the SAFE methods not in the 'allow'/'public' headers one by one by sending generic requests and adds them to the allowed methods list if the response is anything other than status codes 501 and 405. To also test all the UNSAFE methods one can set test-all-unsafe to true. This is the added script argument as mentioned in the ideas page. Please comment on the implementation. Is there something more that I need to look at that I might have missed? TODOs : * Add @xmloutput. * Not recheck OPTIONS method ever. * Fix documentation to include recent changes. * Comment code to explain changes. Gyani [1]https://secwiki.org/w/Nmap/Script_Ideas#http-methods_update [2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-methods update Gyanendra Mishra (May 23)
- Re: [NSE] http-methods update Gyanendra Mishra (May 28)
- Re: [NSE] http-methods update Daniel Miller (Jun 14)
- Re: [NSE] http-methods update Gyanendra Mishra (Jun 20)
- Re: [NSE] http-methods update Daniel Miller (Jun 14)
- Re: [NSE] http-methods update Gyanendra Mishra (May 28)