Nmap Development mailing list archives
RE: [NSE] Changes to http-auth
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Mon, 19 Dec 2011 14:47:25 -0000
I've taken a slightly closer look and I think the existing http.lua can cope without the quotes. But I get the impression that http.lua is struggling to deal with more than one scheme in the WWW-Authenticate header. I think something's not quite right with the parsing, probably some kind of off-by-one problem. I briefly tried playing around with the code, which got it sort of working for the header Patrik supplied, but then I was off-by-one in another place (I don't think the comma is being properly taken into account after the name of the scheme, but if you try to increment it there then other tokens can get screwed up later on). It's not my code, so I'm finding it hard to follow exactly what's going on. I might take another stab later, but I can't spend any more time on it right now. Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Rob Nicholls Sent: 19 December 2011 07:48 To: 'Patrik Karlsson'; 'nmap-dev' Subject: RE: [NSE] Changes to http-auth My guess is that the charset bit of the string might be causing problems with the parsing, as all the rest are quoted string values? A quick look at http.lua suggests to me that we assume that the value is a quoted string as per the RFC. http://www.ietf.org/rfc/rfc2617.txt suggests that it should either be a token or a quoted string. I suspect we need to make read_auth_challenge or read_token_or_quoted_string a bit more flexible to cope with non-compliant headers? Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Patrik Karlsson Sent: 19 December 2011 07:02 To: Patrik Karlsson; nmap-dev Subject: Re: [NSE] Changes to http-auth On Mon, Dec 19, 2011 at 1:22 AM, David Fifield <david () bamsoftware com>wrote:
On Sat, Dec 17, 2011 at 10:46:15PM +0100, Patrik Karlsson wrote:Hi all, I've reworked the http-auth to handle multiple Authentication headersbeingreturned from the server.Didn't it work that way before? The http library should join together multiple headers with a comma, and http.parse_www_authenticate should know how to deal with that. Manually parsing answer.rawheader seems wrong--http.parse_header does that already, including some tricky cases. I tested locally against a dummy server offering Basic and Digest and it worked before your patch. What did you run into that caused you to have to change it? ncat -l 8080 --sh-exec 'cat auth.http' -k David Fifield
Ok, I reverted my patch just now, but it doesn't work anymore for me, this is what I get: | Server returned status 401 but the WWW-Authenticate header could not | be parsed. |_WWW-Authenticate: Negotiate, NTLM, Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1e4e256b4afb7f89b4eb43b241bb ecc019ac8910c0451d75eda21f0a01b277e4dd0ec235788fb373269ed29fa7da630b1",chars et=utf-8,realm=" example.com", Basic realm="example.com" It seems to fail in http.parse_www_authenticate as far as I can tell. I'll see if I can look into it later. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Changes to http-auth Patrik Karlsson (Dec 17)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 19)
- Re: [NSE] Changes to http-auth David Fifield (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)