From ffd7a6dba5aac62fbd213134a64afcf250ea1407 Mon Sep 17 00:00:00 2001 From: david Date: Fri, 19 Feb 2010 02:34:45 +0000 Subject: [PATCH] Do some cleanup and shortening of http-methods.nse. --- scripts/http-methods.nse | 46 ++++++++++++++-------------------------- 1 file changed, 16 insertions(+), 30 deletions(-) diff --git a/scripts/http-methods.nse b/scripts/http-methods.nse index e6d56c9ac..ed73f1011 100644 --- a/scripts/http-methods.nse +++ b/scripts/http-methods.nse @@ -1,21 +1,19 @@ id = "HTTP allowed methods" description = [[ -Connects to an HTTP server and sends an OPTIONS request to see which HTTP methods are allowed on this server. - -By default, it tells only the Methods returned by an OPTIONS request in the Allow-Header. -In some cases a method is active, but requests with this method are only allowed e. g. from -certain IP addresses. -If http-methods.retest is set to true we also send one single request with every method found before -to see if it returns 200 OK or something other, e. g. 403 Forbidden +Connects to an HTTP server and sends an OPTIONS request to see which +HTTP methods are allowed on this server. Optionally tests each method +individually to see if they are subject to e.g. IP address restrictions. ]] --- --- @usage --- nmap --script=http-methods.nse [--script-args http-methods.url-path=,http-methods.retest=true|false] --- @args http-methods.url-path if You want another URL path than / just give it here (optional, defaults to /) --- @args http-methods.retest give true if You want to perfom a separat test for each --- HTTP method found - see @see description (optional, defaults to false) +-- @args http-methods.url-path The path to request. Defaults to +-- /. +-- @args http-methods.retest If defined, do a request using each method +-- individually and show the response code. Use of this argument can +-- make this script unsafe; for example DELETE / is +-- possible. +-- -- @output -- 80/tcp open http syn-ack Apache httpd 2.2.8 ((Ubuntu)) -- | HTTP allowed methods: according to OPTIONS request: GET,HEAD,POST,OPTIONS,TRACE @@ -24,6 +22,10 @@ to see if it returns 200 OK or something other, e. g. 403 Forbidden -- | HTTP Status for POST is 200 OK -- | HTTP Status for OPTIONS is 200 OK -- |_ HTTP Status for TRACE is 200 OK +-- +-- @usage +-- nmap --script=http-methods.nse --script-args http-methods.retest=1 +-- nmap --script=http-methods.nse --script-args http-methods.url-path=/website author = "Bernd Stroessenreuther " @@ -68,24 +70,8 @@ action = function(host, port) local socket, request, result, methods, protocol, output, httpstatus, methodsarray, i, own_httpstatus, url_path, retest_http_methods, try, catch, location -- default vaules for script-args - url_path = "/" - retest_http_methods = false - - -- evaluate script-args - if (nmap.registry.args ~= nil) - then - if (nmap.registry.args["http-methods.url-path"] ~= nil) - then - url_path = nmap.registry.args["http-methods.url-path"] - end - if (nmap.registry.args["http-methods.retest"] ~= nil) - then - if (nmap.registry.args["http-methods.retest"] == "true") - then - retest_http_methods = true - end - end - end + url_path = nmap.registry.args["http-methods.url-path"] or "/" + retest_http_methods = nmap.registry.args["http-methods.retest"] ~= nil catch = function() socket:close()