mirror of
https://github.com/nmap/nmap.git
synced 2025-12-09 06:01:28 +00:00
39f75dddeb
Ideas page. Basically this tests all the options not listed under the public or allow headers of the OPTIONS response.
210 lines
6.6 KiB
Lua
210 lines
6.6 KiB
Lua
local http = require "http"
|
|
local nmap = require "nmap"
|
|
local shortport = require "shortport"
|
|
local stdnse = require "stdnse"
|
|
local string = require "string"
|
|
local table = require "table"
|
|
|
|
description = [[
|
|
Finds out what options are supported by an HTTP server by sending an
|
|
OPTIONS request. Lists potentially risky methods. It tests those methods
|
|
not mentioned in the OPTIONS headers individually and sees if they are
|
|
implemented. Any output other than 501/405 suggests that the method is
|
|
if not in the range 400 to 600. If the response falls under that range then
|
|
it is compared to the response from a randomly generated method.
|
|
|
|
In this script, "potentially risky" methods are anything except GET,
|
|
HEAD, POST, and OPTIONS. If the script reports potentially risky
|
|
methods, they may not all be security risks, but you should check to
|
|
make sure. This page lists the dangers of some common methods:
|
|
|
|
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|
|
|
|
The list of supported methods comes from the contents of the Allow and
|
|
Public header fields. In verbose mode, a list of all methods is printed,
|
|
followed by the list of potentially risky methods. Without verbose mode,
|
|
only the potentially risky methods are shown.
|
|
]]
|
|
|
|
---
|
|
-- @args http.url-path The path to request. Defaults to
|
|
-- <code>/</code>.
|
|
-- @args http.retest If defined, do a request using each method
|
|
-- individually and show the response code. Use of this argument can
|
|
-- make this script unsafe; for example <code>DELETE /</code> is
|
|
-- possible. All methods received through options are tested with generic
|
|
-- requests. Saved status lines are shown for rest.
|
|
-- @args http.test-all If set true tries all the unsafe methods as well.
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE REASON
|
|
-- 80/tcp open http syn-ack
|
|
-- | http-methods:
|
|
-- |_ Supported Methods: GET HEAD POST OPTIONS
|
|
--
|
|
-- @usage
|
|
-- nmap --script http-methods --script-args <target>
|
|
-- nmap --script http-methods --script-args http.url-path='/website' <target>
|
|
--
|
|
-- @xmloutput
|
|
-- <elem key="Supported Methods">GET HEAD POST OPTIONS</elem>
|
|
|
|
|
|
author = {"Bernd Stroessenreuther <berny1@users.sourceforge.net>", "Gyanendra Mishra"}
|
|
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
|
|
categories = {"default", "safe"}
|
|
|
|
local function check_allowed(random_resp, response)
|
|
if response.status == 405 or response.status == 501 then
|
|
return false
|
|
end
|
|
if response.status < 600 and response.status >= 400 and response.status == random_resp.status then
|
|
return false
|
|
end
|
|
return true
|
|
end
|
|
|
|
local function filter_out(t, filter)
|
|
local result = {}
|
|
local _, e, f
|
|
for _, e in ipairs(t) do
|
|
if not stdnse.contains(filter, e) then
|
|
result[#result + 1] = e
|
|
end
|
|
end
|
|
return result
|
|
end
|
|
|
|
|
|
-- Split header field contents on commas and return a table without duplicates.
|
|
local function merge_headers(headers, names)
|
|
local seen = {}
|
|
local result = {}
|
|
|
|
for _, name in ipairs(names) do
|
|
name = string.lower(name)
|
|
if headers[name] then
|
|
for _, v in ipairs(stdnse.strsplit(",%s*", headers[name])) do
|
|
if not seen[v] then
|
|
result[#result + 1] = v
|
|
end
|
|
seen[v] = true
|
|
end
|
|
end
|
|
end
|
|
|
|
return result
|
|
end
|
|
|
|
-- We don't report these methods except with verbosity.
|
|
local SAFE_METHODS = {
|
|
"GET", "HEAD", "POST", "OPTIONS"
|
|
}
|
|
|
|
local UNSAFE_METHODS = {
|
|
"DELETE", "PUT", "CONNECT", "TRACE"
|
|
}
|
|
|
|
portrule = shortport.http
|
|
|
|
action = function(host, port)
|
|
|
|
local path, retest_http_methods, test_all_unsafe
|
|
local response, methods, options_status_line
|
|
local output = stdnse.output_table()
|
|
local options_status = true
|
|
|
|
-- default values for script-args
|
|
path = stdnse.get_script_args(SCRIPT_NAME .. ".url-path") or '/'
|
|
retest_http_methods = stdnse.get_script_args(SCRIPT_NAME .. ".retest") or false
|
|
test_all_unsafe = stdnse.get_script_args(SCRIPT_NAME .. ".test-all") or false
|
|
|
|
response = http.generic_request(host, port, "OPTIONS", path)
|
|
if not response.status then
|
|
options_status = false
|
|
stdnse.debug1("OPTIONS %s failed.", path)
|
|
end
|
|
-- Cache in case retest is requested.
|
|
if options_status then
|
|
options_status_line = response["status-line"]
|
|
stdnse.debug1("HTTP Status for OPTIONS is " .. response.status)
|
|
if not(response.header["allow"] or response.header["public"]) then
|
|
stdnse.debug1("No Allow or Public header in OPTIONS response (status code %d)", response.status)
|
|
end
|
|
end
|
|
|
|
-- The Public header is defined in RFC 2068, but was removed in its
|
|
-- successor RFC 2616. It is implemented by at least IIS 6.0.
|
|
methods = merge_headers(response.header, {"Allow", "Public"})
|
|
|
|
local to_test = {}
|
|
local status_lines = {}
|
|
|
|
for _, method in pairs(SAFE_METHODS) do
|
|
if not stdnse.contains(methods, method) then
|
|
table.insert(to_test, method)
|
|
end
|
|
end
|
|
|
|
if test_all_unsafe then
|
|
for _, method in pairs(UNSAFE_METHODS) do
|
|
if not stdnse.contains(methods, method) then
|
|
table.insert(to_test, method)
|
|
end
|
|
end
|
|
end
|
|
|
|
local random_resp = http.generic_request(host, port, stdnse.generate_random_string(4), path)
|
|
stdnse.debug1("Response Code to Random Method is %d", random_resp.status or nil)
|
|
for _, method in pairs(to_test) do
|
|
response = http.generic_request(host, port, method, path)
|
|
if response.status and check_allowed(random_resp, response) then
|
|
stdnse.debug2("Method %s not in OPTIONS found to exist. STATUS %d", method, response.status)
|
|
table.insert(methods, method)
|
|
status_lines[method] = response['status-line']
|
|
end
|
|
end
|
|
|
|
if nmap.verbosity() > 0 and #methods > 0 then
|
|
output["Supported Methods"] = stdnse.strjoin(" ", methods)
|
|
end
|
|
|
|
local interesting = filter_out(methods, SAFE_METHODS)
|
|
if #interesting > 0 then
|
|
output["Potentially risky methods"] = stdnse.strjoin(" ", interesting)
|
|
end
|
|
|
|
if path ~= '/' then
|
|
output["Path tested"] = path
|
|
end
|
|
|
|
-- retest http methods if requested
|
|
if retest_http_methods then
|
|
output["Status Lines"] = {}
|
|
for _, method in ipairs(methods) do
|
|
local str
|
|
if method == "OPTIONS" then
|
|
-- Use the saved value.
|
|
str = options_status_line
|
|
elseif stdnse.contains(to_test, method) then
|
|
-- use the value saved earlier.
|
|
str = status_lines[method]
|
|
-- this case arises when methods in the Public or Allow headers are retested.
|
|
else
|
|
response = http.generic_request(host, port, method, path)
|
|
if not response.status then
|
|
str = "Error getting response"
|
|
else
|
|
str = response["status-line"]
|
|
end
|
|
end
|
|
str = str:gsub('\r?\n?', "")
|
|
output["Status Lines"][method] = str
|
|
end
|
|
end
|
|
if #output > 0 then return output else return nil end
|
|
end
|
|
|