Nmap Development mailing list archives
[NSE] http-methods update
From: Gyanendra Mishra <anomaly.the () gmail com>
Date: Sun, 24 May 2015 01:34:53 +0530
Hi list, I was working on the script idea http-methods update[1]. The script would earlier send an OPTIONS request and parse the 'allow' and 'public' headers to show allowed methods. There are cases in which the (i) OPTIONS method is itself disabled, (ii) contains no 'allow' or 'public' headers if OPTIONS is enabled or (iii) the 'allow'/ 'public' headers don't contain all allowed methods. This updated script[2] now marks HEAD, GET, POST, OPTIONS as SAFE and PUT, DELETE, CONNECT as UNSAFE. It tests all the SAFE methods not in the 'allow'/'public' headers one by one by sending generic requests and adds them to the allowed methods list if the response is anything other than status codes 501 and 405. To also test all the UNSAFE methods one can set test-all-unsafe to true. This is the added script argument as mentioned in the ideas page. Please comment on the implementation. Is there something more that I need to look at that I might have missed? TODOs : * Add @xmloutput. * Not recheck OPTIONS method ever. * Fix documentation to include recent changes. * Comment code to explain changes. Gyani [1]https://secwiki.org/w/Nmap/Script_Ideas#http-methods_update [2]https://svn.nmap.org/nmap-exp/gyani/scripts/http-methods.nse
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-methods update Gyanendra Mishra (May 23)
- Re: [NSE] http-methods update Gyanendra Mishra (May 28)
- Re: [NSE] http-methods update Daniel Miller (Jun 14)
- Re: [NSE] http-methods update Gyanendra Mishra (Jun 20)
- Re: [NSE] http-methods update Daniel Miller (Jun 14)
- Re: [NSE] http-methods update Gyanendra Mishra (May 28)