Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-verb-tamper
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 4 Nov 2011 21:49:22 +0100

On Fri, Nov 4, 2011 at 2:55 PM, Hani Benhabiles <kroosec () gmail com> wrote:

Hi list,

Attached is a  NSE script to check for authentication bypass via HTTP verb
tampering.

description = [[
Checks if the target is vulnerable to authentication bypass via HTTP verb
tampering.

It works by checking if a target that requires authentication or redirects
to a login page could be
bypassed via a HEAD request. RFC 2616 specifies that the HEAD request
should be treated exactly like GET but
with no returned response body.

For more information, see:
* CVE-2010-738 https://bugzilla.redhat.com/show_bug.cgi?id=574105
* http://www.imperva.com/resources/glossary/http_verb_tampering.html
*

https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

]]

Hope it helps.

Cheers,

--
M. Hani Benhabiles
Blog: http://kroosec.blogspot.com
Twitter: @kroosec

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Hi Hani,

Thanks for submitting this script! I had a quick look at it and I noticed
that the script argument read in the action method does not reflect the one
documented in the usage. Also, I'm not sure how widespread this
vulnerability is and if it would make more sense to target the reported
JBoss vulnerability instead? Or maybe have two script, one generic like the
one you submitted, and one that targets CVE-2010-738 specifically. While I
appreciate that the generic script could be sued to detect CVE-2010-738 I
think it would be better to be able to do so without needing to supply the
path.

What do other people on the list think?

//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]