http-fingerprints.lua: add /cdn-cgi/trace (some Cloudflare feature)

[David Fifield <david () bamsoftware com>]

The attached patch adds "/cdn-cgi/trace" to http-fingerprints.lua for
the http-enum script. This path seems to be a special administrative/
debugging path for sites on the Cloudflare CDN.

I just happened to notice it in this blog post:
https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/
        To test for encrypted SNI support on your Cloudflare domain, you
        can visit the “/cdn-cgi/trace” page, for example,
        https://www.cloudflare.com/cdn-cgi/trace

I didn't find any documentation for this feature or a specification of
what all the fields mean, but here's what I see at
https://www.cloudflare.com/cdn-cgi/trace:

fl=20f275
h=www.cloudflare.com
ip=77.247.181.162
ts=1549398742.213
visit_scheme=https
uag=Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
colo=AMS
http=h2
loc=T1
tls=TLSv1.2
sni=plaintext

I'm not sure if "/cdn-cgi/trace" is enable for all Cloudflare sites, or
if it's an option the site owner can configure. Accessing just
"/cdn-cgi/" seems to give a 404. A search at
https://community.cloudflare.com/search?q=cdn-cgi shows that there are
many other paths that may appear under /cdn-cgi/, but some of them, for
example the email address obfuscation, are definitely optional.
        /cdn-cgi/apps/head/[random].js
        /cdn-cgi/scripts/cf.challenge.js
        /cdn-cgi/scripts/cf.common.js
        /cdn-cgi/scripts/zepto.min.js
        /cdn-cgi/scripts/[random]/cloudflare-static/email-decode.min.js
        /cdn-cgi/pe/bag2

Attachment: 0001-Add-cdn-cgi-trace-Cloudflare-to-http-fingerprints.lu.patch
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/