Nmap Development mailing list archives
[RFC][NSE] Incomplete HTTP response body
From: nnposter <nnposter () users sourceforge net>
Date: Fri, 17 Mar 2017 14:16:24 -0600
Nmappers, Recent e-mail thread "Get value in IncompleteRead exception", http://seclists.org/nmap-dev/2017/q1/191, covered the fact that the current NSE HTTP library does not provide means how to obtain partially received response bodies. If the response parsing fails for whatever reason the caller only gets a nil status, and the status line contains a one-line error message. The caller specifically does not get any data from the response itself. I have put together a patch that adds a new member to the response object. If an HTTP response fails while processing the body then this member gets populated with a body fragment received up to that point. The value proposition is that probing for HTTP vulnerabilities sometimes results in incorrectly formed bodies. The content length might be off or the chunks are corrupted. With this modification a vulnerability test script might still be able to use the HTTP library, instead of hand-rolling the request. I am looking for opinions whether such a functionality is desirable or not. The attached patch applies cleanly against r36651 if you want to try it out. I am not going to commit it by default, without a reasonable consensus. Thank you for your thoughts, nnposter
Attachment:
http-body-fragment.patch
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC][NSE] Incomplete HTTP response body nnposter (Mar 17)
- Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 19)
- Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 19)
- Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 27)
- Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 29)
- Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 19)
- Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 19)