Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: Daniel Roethlisberger <daniel () roe ch>
Date: Sun, 21 Feb 2010 00:49:23 +0100
David Fifield <david () bamsoftware com> 2010-02-18:
The uninteresting set {GET, HEAD, POST, OPTIONS, TRACE} just comes from a quick observation of a handful of web servers. I welcome suggestions of methods to be removed from or added to the set.
I'd vote for removing TRACE from the uninteresting set. TRACE can be security relevant in the context of Cross-Site Tracing attacks (web app vulnerable to XSS, session cookie has HttpOnly flag set or NTLM or basic auth is used, XSS payload does a TRACE request back to the web server, server reflects request headers in response body, XSS payload can now read session cookie or auth headers). http://www.owasp.org/index.php/Cross_Site_Tracing -- Daniel Roethlisberger http://daniel.roe.ch/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse, (continued)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 27)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse David Fifield (Jan 29)
- Re: NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 30)
- Re: NSE Script http-methods.nse David Fifield (Feb 01)
- Re: NSE Script http-methods.nse David Fifield (Feb 18)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- NSE Script http-methods.nse, WAS: NSE script HTTPallowedMethods.nse Bernd Stroessenreuther (Jan 12)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Feb 20)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Mar 02)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Mar 05)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Mar 05)
- Re: NSE Script http-methods.nse Vlatko Kosturjak (Feb 21)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)