[NSE] Empty server header in http-server-header.nse

[nnposter () users sourceforge net]

Script http-server-header.nse is not handling well situations where
the Server header is returned but empty. Specifically, pattern...

    "\n[Ss][Ee][Rr][Vv][Ee][Rr]:%s*(.-)\r?\n"

...used for parsing the header assumes that class %s does not include
CR or LF. When the server header is returned empty then %s* will slurp
the CR/LF sequence and the subsequent capture group will get populated
with the next full header (as opposed to an empty string).

The patch below replaces the problematic class with LWS as defined in
RFC 822. This will cause the script to return the empty string.

One issue to note though is that the visual effect is an empty line in
the formatted output:

    443/tcp open  ssl/https syn-ack ttl 128
    | http-server-header: 
    |   Server: 
    |_    

It could be argued that we should decouple the formatted output from
the structured result data and replace it with something more readable
like "(not listed)" or "(empty)":

    443/tcp open  ssl/https syn-ack ttl 128
    | http-server-header: 
    |   Server: 
    |_    (empty)



Cheers,
nnposter


Patch against r33886 follows:

--- a/scripts/http-server-header.nse
+++ b/scripts/http-server-header.nse
@@ -101,7 +101,7 @@
     if string.match(result, "^HTTP/1.[01] %d%d%d") then
       port.version.service = "http"
 
-      local http_server = string.match(result, "\n[Ss][Ee][Rr][Vv][Ee][Rr]:%s*(.-)\r?\n")
+      local http_server = string.match(result, "\n[Ss][Ee][Rr][Vv][Ee][Rr]:[ \t]*(.-)\r?\n")
 
       -- Avoid setting version info if -sV scan already got a match
       if port.version.product == nil and (port.version.name_confidence or 0) <= 3 then
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/