PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-08 13:41:29 +00:00
Code Issues Projects Releases Wiki Activity

Make http-methods.nse merge the contents of the Allow and Public

Browse Source 
headers, as suggested by Patrik Karlsson.
This commit is contained in:
david
2010-03-02 20:27:08 +00:00
parent a39c302fcc
commit ce18e4bb54
1 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
scripts/http-methods.nse
View File

@@ -20,7 +20,7 @@ or if Nmap is run in verbose mode, then all of them are reported.
-- --
-- @output -- @output
-- 80/tcp open http syn-ack -- 80/tcp open http syn-ack
-- | http-methods: GET,HEAD,POST,OPTIONS,TRACE -- | http-methods: GET HEAD POST OPTIONS TRACE
-- | GET / -> HTTP/1.1 200 OK -- | GET / -> HTTP/1.1 200 OK
-- | HEAD / -> HTTP/1.1 200 OK -- | HEAD / -> HTTP/1.1 200 OK
-- | POST / -> HTTP/1.1 200 OK -- | POST / -> HTTP/1.1 200 OK
@@ -46,7 +46,7 @@ local UNINTERESTING_METHODS = {
"GET", "HEAD", "POST", "OPTIONS" "GET", "HEAD", "POST", "OPTIONS"
} }
local filter_out local filter_out, merge_headers
portrule = function(host, port) portrule = function(host, port)
if not (port.service == 'http' or port.service == 'https') if not (port.service == 'http' or port.service == 'https')
@@ -79,8 +79,8 @@ action = function(host, port)
options_status_line = response["status-line"] options_status_line = response["status-line"]
stdnse.print_debug("http-methods.nse: HTTP Status for OPTIONS is " .. response.status) stdnse.print_debug("http-methods.nse: HTTP Status for OPTIONS is " .. response.status)
if not response.header["allow"] then if not (response.header["allow"] or response.header["public"]) then
return string.format("No Allow header in OPTIONS response (status code %d)", response.status) return string.format("No Allow or Public header in OPTIONS response (status code %d)", response.status)
end end
if nmap.verbosity() == 0 then if nmap.verbosity() == 0 then
@@ -89,12 +89,14 @@ action = function(host, port)
uninteresting = {} uninteresting = {}
end end
methods = stdnse.strsplit(",%s*", response.header["allow"]) -- The Public header is defined in RFC 2068, but was removed in its
-- successor RFC 2616. It is implemented by at least IIS 6.0.
methods = merge_headers(response.header, {"Allow", "Public"})
if #filter_out(methods, uninteresting) == 0 then if #filter_out(methods, uninteresting) == 0 then
return return
end end
output = { response.header["allow"] } output = { stdnse.strjoin(" ", methods) }
-- retest http methods if requested -- retest http methods if requested
if retest_http_methods then if retest_http_methods then
@@ -139,3 +141,23 @@ function filter_out(t, filter)
end end
return result return result
end end
-- Split header field contents on commas and return a table without duplicates.
function merge_headers(headers, names)
local seen = {}
local result = {}
for _, name in ipairs(names) do
name = string.lower(name)
if headers[name] then
for _, v in ipairs(stdnse.strsplit(",%s*", headers[name])) do
if not seen[v] then
result[#result + 1] = v
end
seen[v] = true
end
end
end
return result
end