o [NSE] Added the http-method-tamper script that detects authentication bypass

vulnerabilities using the http HEAD method as reported in CVE-2010-738.
  [Hani Benhabiles]

CHANGELOG

@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the http-method-tamper script that detects authentication bypass
+  vulnerabilities using the http HEAD method as reported in CVE-2010-738.
+  [Hani Benhabiles]
+ 
 o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
   finds packets not only from or to the scanning host. [David]
 

scripts/http-method-tamper.nse

@@ -0,0 +1,70 @@
+description = [[
+Checks if a JBoss target is vulnerable to jmx console authentication bypass.
+
+It works by checking if the target paths require authentication or redirect to a login page that could be
+bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but
+with no returned response body. The script also detects if the URL does not require authentication at all.
+
+For more information, see:
+* CVE-2010-738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
+* http://www.imperva.com/resources/glossary/http_verb_tampering.html
+* https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
+
+]]
+
+---
+-- @usage
+-- nmap --script=http-method-tamper --script-args 'http-method-tamper.paths={/path1/,/path2/}' <target>
+--
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | http-method-tamper: 
+-- |_  /jmx-console/: Authentication bypass.
+--
+-- @args http-method-tamper.path Array of paths to check. Defaults 
+-- to <code>{"/jmx-console/"}</code>.
+
+author = "Hani Benhabiles <kroosec@gmail.com>"
+
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+
+categories = {"safe", "auth"}
+
+require 'shortport'
+require 'http'
+require 'stdnse'
+
+portrule = shortport.http
+
+action = function(host, port)
+	local paths = stdnse.get_script_args("http-method-tamper.paths")
+    local result = {}
+
+	-- convert single string entry to table
+	if ( "string" == type(paths) ) then
+		paths = { paths }
+	end
+	
+	-- fallback to jmx-console
+	paths = paths or {"/jmx-console/"}
+
+    for _, path in ipairs(paths) do
+        local getstatus = http.get(host, port, path).status
+
+        -- Checks if HTTP authentication or a redirection to a login page is applied.
+        if getstatus == 401 or getstatus == 302 then
+            local headstatus = http.head(host, port, path).status
+            if headstatus == 200 then
+                -- Vulnerable to authentication bypass.
+				table.insert(result, ("%s: Authentication bypass possible"):format(path))
+            end
+        -- Checks if no authentication is required for Jmx console
+        -- which is default configuration and common.
+        elseif getstatus == 200 then
+			table.insert(result, ("%s: Authentication was not required"):format(path))
+        end
+    end
+    
+    return stdnse.format_output(true, result)
+end

scripts/script.db

@@ -101,6 +101,7 @@ Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive",
 Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-majordomo2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-malware-host.nse", categories = { "malware", "safe", } }
+Entry { filename = "http-method-tamper.nse", categories = { "auth", "safe", } }
 Entry { filename = "http-methods.nse", categories = { "default", "safe", } }
 Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
 Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }