Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] http-devframework.nse
From: nnposter () users sourceforge net
Date: Mon, 26 Aug 2013 20:48:36 +0000

Out of curiosity, why do you use response.rawheader so broadly, instead
of leveraging the parsing that already took place when the response
object was composed? I have rewritten a small piece of the code to
illustrate what I am talking about:

Original:

    -- Check for Mongrel or Passenger in the "Server" or "X-Powered-By" header
    for _, h in ipairs(response.rawheader) do
        if (string.find(h, "X%-Powered%-By") or 
        string.find(h, "Server")) and 
        (string.find(h, "[Mm][Oo][Nn][Gg][Rr][Ee][Ll]") or
        string.find(h, "[Pp][Aa][Ss][Ee][Nn][Gg][Ee][Rr]")) then
            return "RoR detected. Found 'Passenger' or 'Mongrel' in the cookies sent by the server."
        end
    end

Alternative:

    -- Check for Mongrel or Passenger in the "Server" or "X-Powered-By" header
    for h, v in ipairs(response.header) do
        if h == "x-powered-by" or h == "server" then
            local vl = v:lower()
            local m = vl:match("mongrel") or vl:match("passenger")
            if m then
               return "RoR detected. Found '" .. m .. "' in " .. h .. " header sent by the server."
            end
        end
    end

This way you might get several benefits:

* Normalized matching, such as "Server" vs. "server"
* More precise matching, such as the Server header vs. "/Foo/Server/Bar"
  in the Referer header
* More understandable intent of the fingerprint logic
* More readable code


Fingerprint suggestions:

* Cookies, such as CFID* and CFTOKEN* for Cold Fusion, ASPNETSESSIONID
  for ASP.NET, BV_* for Broadvision, WC_* for WebSphere Commerce.
* Parameters, such as __VIEWSTATE and __EVENT* for ASP.NET.
* JavaScript calls, such as __doPostBack for ASP.NET
* DOM elements, such as IDs "aspnetForm" or ctl00_* for ASP.NET


Suggested changes:

* Misspelling of "Pasenger"(sic) in the string search.
* Returning "Found ... in cookies" while the fingerprint searches server headers.


Some other thoughts:

* Would the concept of basepath make sense here?


Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault