[NSE] http-methods update

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi list,

I was working on the script idea http-methods update[1]. The script would
earlier send an OPTIONS request and parse the 'allow' and 'public' headers
to show allowed methods. There are cases in which the (i) OPTIONS method is
itself disabled, (ii) contains no 'allow' or 'public' headers if OPTIONS is
enabled or (iii) the 'allow'/ 'public' headers don't contain all allowed
methods.

This updated script[2]  now marks HEAD, GET, POST, OPTIONS as SAFE and PUT,
DELETE, CONNECT as UNSAFE. It tests all the SAFE methods not in the
'allow'/'public'  headers one by one by sending generic requests and adds
them to the allowed methods list if the response is anything other than
status codes 501 and 405. To also test all the UNSAFE methods one can set
test-all-unsafe to true. This is the added script argument as mentioned in
the ideas page.

Please comment on the implementation. Is there something more that I need
to look at that I might have missed?

TODOs :
 * Add @xmloutput.
 * Not recheck OPTIONS method ever.
 * Fix documentation to include recent changes.
 * Comment code to explain changes.

Gyani

[1]https://secwiki.org/w/Nmap/Script_Ideas#http-methods_update
[2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/