Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: http-methods.nse implementation
From: David Fifield <david () bamsoftware com>
Date: Wed, 27 Apr 2011 19:20:39 -0700

On Tue, Mar 08, 2011 at 02:57:57PM +0100, Vlatko Kosturjak wrote:
On 03/08/2011 02:49 PM, Rob Nicholls wrote:
On Tue, 8 Mar 2011 15:33:48 +0200, Josh Amishav-Zlatin wrote:
Would it make more sense for the
script to have a base list of methods that it checks for regardless of
whether OPTIONS is enabled or not and then appends that list based on
the results of an OPTIONS request?

I'd prefer not to trust OPTIONS at all, and perhaps rename the existing
option or add something like http-methods.force or http-methods.thorough
to test a long hardcoded base list of methods like you suggest. The
current "retest" option doesn't really retest the methods, it simply
performs a more thorough test based on the original OPTIONS response
(which, as you point out, could be inaccurate).

I think we discussed this already some time ago:
http://seclists.org/nmap-dev/2010/q1/618
...and I remember, decision was to have it like this.

I don't know, I think it's fine to test from a static set of method
names (including invalid names). If someone writes a good patch I think
we'd accept it. It just perhaps shouldn't be default.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]