Relax http.parse_form to allow forms without an action

Patch from nnposter: http://seclists.org/nmap-dev/2014/q3/384
2025-12-06 04:31:29 +00:00 · 2014-09-18 03:38:23 +00:00
parent d518e2dbcb
commit 327496d50c
7 changed files with 6 additions and 8 deletions
--- a/scripts/http-sql-injection.nse
+++ b/scripts/http-sql-injection.nse
@@ -247,7 +247,7 @@ action = function(host, port)
      for _,form_plain in ipairs(all_forms) do
        local form = http.parse_form(form_plain)
        local path = r.url.path
-        if form then
+        if form and form.action then
          local vulnerable_fields = check_form(form, host, port, path)
          if #vulnerable_fields > 0 then
            vulnerable_fields["name"] = "Form at path: "..path..", form's action: "..form["action"]..". Fields that might be vulnerable:"