Re: [GSoC 2015] Ideas, thoughts

[Daniel Miller <bonsaiviking () gmail com>]

s0h3ck,

On Fri, Mar 6, 2015 at 4:29 PM, s0h3ck . <s0h3ck () gmail com> wrote:

> Dear mentors and Nmap's team,
>
> I wonder if a tool who is able to tell you how many XML or HTML elements
> are in a specific chosen web page could be interesting in Nmap's team?
>
> In fact, this tool would be able to describe the hierarchy of the website
> (DOM) by default. Then, with arguments supplied by the user, we could know
> how many hidden elements are on the specific web page. For instance, some
> websites has hidden input and he could be useful to know how many are
> hidden on the website. Another amazing example could be to detect if your
> web page implements news feature added from W3C. Furthermore, this tool
> would have the ability to research a specific element by following the
> search item as the first argument and specify additional arguments like the
> minimum or the maximum elements before the script stops looking into the
> source page and return results. The tool could be able to compare how many
> counted element between website and another. In that way, it can be a great
> opportunity to detect XSS, SQL and more.
>
> What are your thoughts ?
We have had a potential project [1] to add an XML parser to NSE for several
years now. This would be a great enabler not only for web-type tasks like
you're mentioning, but also as a driver for lots of XML-based protocols:
XMLRPC, SOAP, BGPmon, etc. We have more thoughts on this and the related
task of HTML parsing on our Script Ideas wiki page [2].


> Next, couple of questions :
> 1. Does Nmap has a terminal tutorial like vimtutor (Vim) ? If no, does
> Nmap's team would be interest in it as part of the work in GSoC (for maybe
> one or two week) ?

We don't have such a tutorial, though we do have lots of great, readable
documentation available. I think that some sort of usability analysis for
each of our tools would be an interesting project, and could contribute a
lot to ease of use.


> 2. Does Nmap needs more french translations?  (I can give a boost maybe
> for this summer ;))

We will never turn down a chance to improve our translations in every
language. Our Zenmap translation is current as of November 2014, so that's
pretty good, but our French man page has only had a couple minor
corrections since 2007! We generally don't have students doing translation
work for GSOC directly, but helping with translations beforehand can be a
good way to learn more about Nmap itself and interact with the community.


> 3. In the proposal, do you recommend to write both the real name and the
> pseudo or only the real name ?

In the proposal template (forgive me for not having a link at the moment)
we ask for your name (real name) and any instant messenger names and
protocols you wish to use. If you have a handle that you use around the
Net, we'd like to know, but that's up to you. Real name is required, though.

4. Where is the sql-injection.html ?
> http://nmap.org/nsedoc/scripts/sql-injection.html
> Broken link : http://nmap.org/soc/#nsescripts

Thanks for pointing this out! I fixed this and 2 other broken links on that
page due to script renaming. The one you asked about is:
http://nmap.org/nsedoc/scripts/http-sql-injection.html

Dan

[1] https://secwiki.org/w/GSoC_community_ideas#XML_parser_for_NSE
[2] https://secwiki.org/w/Nmap/Script_Ideas#XML_and_HTML_parsing

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/