Nmap Development mailing list archives
Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 12 Sep 2016 09:51:16 -0500
Paulino, Thanks for the update. Looking forward to getting this reviewed and merged! Dan On Sun, Sep 11, 2016 at 9:02 PM, Paulino Calderon <paulino () calderonpale com> wrote:
Hey list, I finally got around to update the script. After considering your feedback I applied the following changes: * Requests are interleaved now. * 30 requests are sent to calculate the average response time. (We could probably do less but this works even in my terrible connection) * Proxy header uses a random but valid hostname. The additional time gets introduced when resolving the name + connection time. * To mark a host vulnerable, the bad response time need be at least twice as big as the normal one. In my vulnerable instances this worked fine, we could probably go with 1.5 but I rather stayed on the safe side. This also fixed the issue with false positives when calculating if the host was vulnerable with mean deviation calculations. I will wait a few days to give everyone a chance to test it before committing. Cheers. http-httpoxy.nse: https://github.com/cldrn/nmap-nse- scripts/blob/master/scripts/http-httpoxy.nse
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] NSE script to detect web apps vulnerable to HTTPoxy Paulino Calderon (Jul 22)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy nnposter (Jul 26)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy Daniel Miller (Aug 22)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy Paulino Calderon (Aug 22)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy Paulino Calderon (Sep 11)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy Daniel Miller (Sep 12)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy Paulino Calderon (Sep 12)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy Daniel Miller (Aug 22)
- Re: [NSE] NSE script to detect web apps vulnerable to HTTPoxy nnposter (Jul 26)