Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-methods update

From: Gyanendra Mishra <anomaly.the () gmail com>
Date: Sat, 20 Jun 2015 15:57:48 +0530
Hi list,

Thanks for the feed back Dan!

I implemented the feedback Daniel had suggested above along with some more
changes he had suggested over irc and committed this in revision 34687.

Gyani

On Mon, Jun 15, 2015 at 9:38 AM, Daniel Miller <bonsaiviking () gmail com>
wrote:


Gyani,

This is looking good. Here are a few points of feedback:

1. The script-args should still be referred to by their fully-qualified
names. Even though --script-args url-path=/ works, the NSEdoc should call
the argument "http-methods.url-path" in the @args and @usage sections.

2. I don't think we need to keep the "See
http://nmap.org/nsedoc/scripts/http-methods.html"; line in the output.
There is no information there that is not in the script file itself, and we
should be able to expect users to find the documentation if they have
questions about output.

3. Instead of the odd line using :sub and :find to strip the newline from
the status line, use str:gsub('\r?\n', ''), since the line could also
contain \r

4. Please add structured (XML) output by separating headings ("Supported
Methods") from data ("GET", "HEAD", etc.).

Dan

On Thu, May 28, 2015 at 1:45 PM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:


Hi list,

I made a few changes to the update earlier posted. Now I am matching the
response to that of a random method in case the response code is between
4xx and 5xx and is not 501 or 405(marked not allowed). If the response code
matches then the method is considered not allowed. Anything else is
considered allowed.

Gyani

On Sun, May 24, 2015 at 1:34 AM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:


Hi list,

I was working on the script idea http-methods update[1]. The script
would earlier send an OPTIONS request and parse the 'allow' and 'public'
headers to show allowed methods. There are cases in which the (i) OPTIONS
method is itself disabled, (ii) contains no 'allow' or 'public' headers if
OPTIONS is enabled or (iii) the 'allow'/ 'public' headers don't contain all
allowed methods.

This updated script[2]  now marks HEAD, GET, POST, OPTIONS as SAFE and
PUT, DELETE, CONNECT as UNSAFE. It tests all the SAFE methods not in the
'allow'/'public'  headers one by one by sending generic requests and adds
them to the allowed methods list if the response is anything other than
status codes 501 and 405. To also test all the UNSAFE methods one can set
test-all-unsafe to true. This is the added script argument as mentioned in
the ideas page.

Please comment on the implementation. Is there something more that I
need to look at that I might have missed?

TODOs :
 * Add @xmloutput.
 * Not recheck OPTIONS method ever.
 * Fix documentation to include recent changes.
 * Comment code to explain changes.

Gyani

[1]https://secwiki.org/w/Nmap/Script_Ideas#http-methods_update
[2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse




_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/





_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: