Re: [PATCH] showHTMLTitle.nse

[David Fifield <david () bamsoftware com>]

On Sat, Oct 04, 2008 at 09:15:23PM +0100, jah wrote:
> On 03/10/2008 21:18, Fyodor wrote:
> > Well, I'm not certain it would have to go in external just for this
> > sort of DNS query against the normal name servers Nmap users anyway.
> > This seems like a very low privacy risk compared to even our other
> > DNS-related extern scripts.  I'm not taking sides on whether we should
> > do the lookup, just saying that looking up the IP of the redirect host
> > probably wouldn't banish the script from the default category.
>
> OK, I've included DNS lookups.  The dns library makes this ultra easy
> and it would be just as easy to remove should it be decided not to
> include it.
> It should handle IPv6 AAAA lookups, but as yet, I've not found an IPv6
> server that redirects - let alone one which issues a different hostname
> in the location header.
>
> As David suggested, redirects are handled by http.get() rather than
> doing url.parse() twice and there's now a short loop which ipairs over a
> table of rules.  The rules are anonymous functions which all take the
> same arguments and return true or false.  Rules processing stops
> whenever false is returned and the redirect won't be followed.  It
> should be much easier to tweak the rules and I've briefly commented
> each.  They go something like this (in this order):
> Scheme, if present, must be the same as port.service (i.e. unchanged
> from the original request)
> Userinfo must not be present.
> Host, if present, must represent the same host.
> Port, if present, must be that which was scanned.
> Path must be different to "/" unless host has changed.
> Query may be present.

I was pleased at how readable this version is, even with the additional
functionality. It's easier to understand than the previous version.

The table of redirect rules is a good idea. It needs a block comment and
a more descriptive name. Or it could be a local table inside a
redirect_ok function, and then it could keep a short name and wouldn't
need a long comment; its purpose would be clear from the function it's
in.

I feel that the DNS lookup for virtual hosts is overkill, but I don't
feel that strongly about it. The "Did not follow redirect" message gives
enough information in this case.

> Couple of other tweaks:
> If possible, the content-type header value is output whenever "Site does
> not have a title" which might help to indicate why there was no title:
> e.g. video/x-msvideo

That's a good idea.

Thanks for all your dedicated work. Who knew handling HTTP redirects
would be so much hassle! This is a good enhancement, and I like how you
have been sensitive to privacy and politeness concerns, in the limits
placed on what redirects are followed.

Anyway, I'll leave until tomorrow for anyone else to comment on this and
then commit it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org