Nmap Development mailing list archives
Re: NSE: http.identify_404 follows redirects
From: Tom Sellers <nmap () fadedcode net>
Date: Thu, 3 Dec 2015 06:56:05 -0600
The change did not appear to be disruptive in my tests. Unless someone objects I will commit the update to http.lua and as well as updates to the related scripts to standardize the call to identify_404. Tom On 11/30/2015 7:46 PM, Tom Sellers wrote:
All, I was going to open a git issue on this, but I decided to toss it at the list for discussion. References: https://nmap.org/nsedoc/lib/http.html#identify_404 https://svn.nmap.org/nmap/nselib/http.lua http.identify_404 is a function that can be used to determine how an HTTP server responds to unknown pages. It can be used, for example, to detect when an HTTP server responds 200 OK to everything which can break a script if it is merely checking the status code when requesting something like /MyAppsSpecialPage. http.identify_404 follows HTTP redirects which may result in unexpected behavior. I noticed this while testing some changes to a script against a ethernet switch that generates a 302 redirect response for a request to /. http.identify_404 follows the redirect and then the 'data' variable contains the results for the new location. The identify_404 function has code to deal with redirects and other errors but this won't be triggered if the call to http.get follows it first. Relevant code is at line 2476 in nselib/http.lua function identify_404(host, port) local data local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 } -- The URLs used to check 404s local URL_404_1 = '/nmaplowercheck' .. os.time(os.date('*t')) local URL_404_2 = '/NmapUpperCheck' .. os.time(os.date('*t')) local URL_404_3 = '/Nmap/folder/check' .. os.time(os.date('*t')) data = get(host, port, URL_404_1) I performed a review of the scripts where identify_404 is being used and I did not find any place where it looked like following redirects would be desirable. grep -i 'identify_404' /usr/local/share/nmap/scripts/*.nse /usr/local/share/nmap/scripts/hnap-info.nse: local status_404, result_404, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/http-avaya-ipoffice-users.nse: local _, http_status, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/http-backup-finder.nse: local res, res404, known404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/http-cakephp-version.nse: local _, http_status, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/http-default-accounts.nse: local _, http_status, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/http-default-accounts.nse: local result, result_404, known_404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/http-enum.nse: local result, result_404, known_404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/http-huawei-hg5xx-vuln.nse: local _, http_status, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/http-malware-host.nse: local result, result_404, known_404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/http-userdir-enum.nse: local result, result_404, known_404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/http-vuln-cve2010-0738.nse: local _, http_status, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/http-wordpress-enum.nse: local status_404, result_404, body_404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/http-wordpress-plugins.nse: local status_404, result_404, body_404 = http.identify_404(host, port) /usr/local/share/nmap/scripts/membase-http-info.nse: local _, http_status, _ = http.identify_404(host,port) /usr/local/share/nmap/scripts/riak-http-info.nse: local _, http_status, _ = http.identify_404(host,port) I recommend that we disable following redirects... data = get(host, port, URL_404_1,{redirect_ok=false}) but that means that we will have to do something intelligent with 301, 302, etc. in the context of the scripts above. Currently, for certain HTTP response codes http.identify_404 is returning success, http status code, nil local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 } .....<snip>...... -- Loop through any expected error codes for _,code in pairs(bad_responses) do if(data.status and data.status == code) then stdnse.debug1("HTTP: Host returns %s instead of 404 File Not Found.", get_status_string(data)) return true, code end end This may change the logic in the calling scripts. I think http.identify_404 should return false and let the debug message from the code above be displayed if the user has enabled debugging. If there is approval I will implement the change and update the scripts above with a standard block of code. This will be tested against a python HTTP server that responds 200 OK to all requests as well as a server that responds to most default requests with a 302. Some of the scripts, like http-cakephp-version.nse, need to have the logic adjusted anyway to address some false positives. Thoughts? Tom _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE: http.identify_404 follows redirects Tom Sellers (Nov 30)
- Re: NSE: http.identify_404 follows redirects Tom Sellers (Dec 03)
- Re: NSE: http.identify_404 follows redirects Johanna Curiel (Dec 04)
- Re: NSE: http.identify_404 follows redirects Tom Sellers (Dec 05)
- Re: NSE: http.identify_404 follows redirects Johanna Curiel (Dec 05)
- Re: NSE: http.identify_404 follows redirects Christian Heinrich (Dec 05)
- Re: NSE: http.identify_404 follows redirects Johanna Curiel (Dec 04)
- Re: NSE: http.identify_404 follows redirects Tom Sellers (Dec 03)