Re: http-methods.nse implementation

[Josh Amishav-Zlatin <jamuse () gmail com>]

On Tue, Mar 8, 2011 at 5:10 PM, Rob Nicholls <robert () robnicholls co uk> wrote:
> As a slight aside, I have a feeling that the PUT method is currently broken
> during the "retest". The script should send some content with the PUT
> request to the server (e.g. the string "Nmap", we probably need to specify a
> proper filename too), but looking at the code I don't think it does so I
> expect the web server will always return an error code to the script
> (instead of a 200 OK).

Hi Rob,

I think ideally the script (when configured to do so, not by default)
should upload a string via PUT then try to retrieve the uploaded file,
as some web servers / WAFs may be configured to respond to various
requests such as PUT with a 200 when in fact the request is discarded.

As was pointed out earlier web servers may be sensitive to various
factors such as domain name and URI path. These two examples can be
accounted for via script arguments and would allow us to enhance the
script's capabilities easily. In addition, it may be nice to allow
users to specify which methods they want to test as well.

What do you think of configuring the script that when
http-methods.retest is enabled it checks for HEAD, GET , POST, PUT,
DELETE, TRACE, OPTIONS, CONNECT and INVALIDMETHOD? The script can add
the results of the OPTIONS output (if available) to that list as well.
The script shouldn't be dependent on OPTIONS though to test for
potentially dangerous methods if http-methods.retest is enabled. In
default state, the script can only check for HEAD, GET, POST and
OPTIONS. Your thoughts?

--
 - Josh
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/