Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] http-verb-tamper
From: Hani Benhabiles <kroosec () gmail com>
Date: Fri, 4 Nov 2011 14:55:09 +0100

Hi list,

Attached is a  NSE script to check for authentication bypass via HTTP verb
tampering.

description = [[
Checks if the target is vulnerable to authentication bypass via HTTP verb
tampering.

It works by checking if a target that requires authentication or redirects
to a login page could be
bypassed via a HEAD request. RFC 2616 specifies that the HEAD request
should be treated exactly like GET but
with no returned response body.

For more information, see:
* CVE-2010-738 https://bugzilla.redhat.com/show_bug.cgi?id=574105
* http://www.imperva.com/resources/glossary/http_verb_tampering.html
*
https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

]]

Hope it helps.

Cheers,

-- 
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: @kroosec

Attachment: http-verb-tamper.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault