Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: http-methods & http-trace NSE Script Enhancement Ideas
From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 23 May 2012 20:03:30 +0200

On Wed, May 23, 2012 at 7:33 PM, King Thorin <kingthorin () hotmail com> wrote:


I just had a quick look at http-cors. It does not appear to follow
redirects or check status codes at all, only setting and getting header
values. I'm not sure if those header values would or wouldn't be present in
a redirect.

I still need someone (or a bunch of people) to confirm if I'm correct in
my experiences with allow and public being lacking on redirect responses.
Also I still need to know how to provide updates for the scripts in
question.

I'd propose a script parameter such as:
redirect_count

So code for htt-trace.nse could look like ( I threw this together quickly,
it's not necessarily perfect or useable in this form):

--- Validates the HTTP response and returns header list
-- () param response The HTTP response
-- () param response_headers The HTTP response headers
local validate = function(response, response_headers, followed_redirects)
 local output_lines = {}

 if not(response:match("HTTP/1.[01] 200") or response:match("TRACE /
HTTP/1.[01]")) then
   return
 else
   output_lines[ #output_lines+1 ] = "TRACE is enabled"
   if followed-redirects > 0
     output_lines[ #output_lines+1 ] = "Followed " .. followed_redirects
.. " redirects." -- We followed some redirects, tell the user
 end
 if nmap.verbosity() >= 2 then
   output_lines[ #output_lines+1 ]= "Headers:"
   for _, value in pairs(response_headers) do
     output_lines [ #output_lines+1 ] = value
   end
 end
 if #output_lines > 0 then
   return stdnse.strjoin("\n", output_lines)
 end
end

---
--MAIN
---
action = function(host, port)
 local path = stdnse.get_script_args("http-trace.path") or "/"
 local num_redirects = stdnse.get_script_args("http-trace.redirect_count")
or 2 -- Set default low [2] and let user make it bigger if needed
 local followed_redirects = 0

 local req = http.generic_request(host, port, "TRACE", path) -- Request
zero
 while (req.status == 301 or req.status == 302) and req.header["location"]
and followed_redirects < num_redirects do -- Follow 2 or redirect_count
redirects
   req = http.generic_request(host, port, "TRACE", req.header["location"])
   followed_redirects = followed_redirects + 1
 end -- Hopefully when we finish looping we received a HTTP 200 OK after
following some redirects (at least we tried)

 return validate(req.body, req.rawheader, followed_redirects)
end

PS > The thread has now had two top and one bottom reply, what's the
actual preference on this list?


Date: Wed, 23 May 2012 18:41:06 +0300
Subject: Re: http-methods & http-trace NSE Script Enhancement Ideas
From: toni.ruottu () iki fi
To: paulino () calderonpale com
CC: kingthorin () hotmail com; nmap-dev () insecure org

Does this affect http-cors too?

On Wednesday, 23 May 2012, Paulino Calderon  wrote:
On 23/05/2012 07:17 a.m., King Thorin wrote:



I was just looking through some online docs and some nmap results. I've

never seen a server that includes public or allow header(s) on a

redirect response [maybe my experience is limited?]. It seems to me that
the http-methods NSE should follow

redirects (HTTP 301, 302, 303) in order to perform the necessary OPTIONS

 request on a page/resource that's providing a HTTP 200.





Perhaps similar to the http-trace script:

http://nmap.org/svn/scripts/http-trace.nse

Though

 even that only follows one 301 or 302 redirect.



Further, maybe both scripts should follow a configurable

 # of redirects (default 2, 3, 4 and configurable further) looking for a

 HTTP 200&  handle 301, 302, and 303 redirect codes.





Reference:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html



I've emailed the devs of both scripts without any luck.







I'd be glad to provide the necessary changes, if someone can simply fill
me in as to how they should be submitted.





_______________________________________________

Sent through the nmap-dev mailing list

http://cgi.insecure.org/mailman/listinfo/nmap-dev

Archived at http://seclists.org/nmap-dev/


I think adding a configuration value for redirects will work better in
some cases. I would say most of the libraries follow 2-3 redirects but no
more than that. In your experience, what would be a good default?



--

Paulino Calderón Pale

Website: http://calderonpale.com

Twitter: http://twitter.com/calderpwn



_______________________________________________

Sent through the nmap-dev mailing list

http://cgi.insecure.org/mailman/listinfo/nmap-dev

Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


The http library does support http redirects for get and head requests.
While redirection may seem trivial to implement at first there are a
actually a few things to consider.
Therefore, why not make trace a function in the http library wrapping the
generic_request method and adding redirect support in the same way as has
already been done for get, head, post and put requests?

Cheers,
Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault