File: http-methods.nse

package info (click to toggle)
nmap 6.47-3%2Bdeb8u2
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 44,788 kB
  • ctags: 25,108
  • sloc: ansic: 89,741; cpp: 62,412; sh: 19,492; python: 17,323; xml: 11,413; perl: 2,529; makefile: 2,503; yacc: 608; lex: 469; asm: 372; java: 45
file content (154 lines) | stat: -rw-r--r-- 4,914 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
 
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Finds out what options are supported by an HTTP server by sending an
OPTIONS request. Lists potentially risky methods. Optionally tests each
method individually to see if they are subject to e.g. IP address
restrictions.

In this script, "potentially risky" methods are anything except GET,
HEAD, POST, and OPTIONS. If the script reports potentially risky
methods, they may not all be security risks, but you should check to
make sure. This page lists the dangers of some common methods:

http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

The list of supported methods comes from the contents of the Allow and
Public header fields. In verbose mode, a list of all methods is printed,
followed by the list of potentially risky methods. Without verbose mode,
only the potentially risky methods are shown.
]]

---
-- @args http-methods.url-path The path to request. Defaults to
-- <code>/</code>.
-- @args http-methods.retest If defined, do a request using each method
-- individually and show the response code. Use of this argument can
-- make this script unsafe; for example <code>DELETE /</code> is
-- possible.
--
-- @output
-- 80/tcp open  http
-- | http-methods: GET HEAD POST OPTIONS TRACE
-- | Potentially risky methods: TRACE
-- | See http://nmap.org/nsedoc/scripts/http-methods.html
-- | GET / -> HTTP/1.1 200 OK
-- | HEAD / -> HTTP/1.1 200 OK
-- | POST / -> HTTP/1.1 200 OK
-- | OPTIONS / -> HTTP/1.1 200 OK
-- |_TRACE / -> HTTP/1.1 200 OK
--
-- @usage
-- nmap --script=http-methods.nse --script-args http-methods.retest=1 <target>
-- nmap --script=http-methods.nse --script-args http-methods.url-path=/website <target>

author = "Bernd Stroessenreuther <berny1@users.sourceforge.net>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default", "safe"}


-- We don't report these methods except with verbosity.
local UNINTERESTING_METHODS = {
  "GET", "HEAD", "POST", "OPTIONS"
}

local filter_out, merge_headers

portrule = shortport.http

action = function(host, port)
  local url_path, retest_http_methods
  local response, methods, options_status_line, output

  -- default values for script-args
  url_path = stdnse.get_script_args("http-methods.url-path") or "/"
  retest_http_methods = stdnse.get_script_args("http-methods.retest") ~= nil

  response = http.generic_request(host, port, "OPTIONS", url_path)
  if not response.status then
    stdnse.print_debug("http-methods: OPTIONS %s failed.", url_path)
    return
  end
  -- Cache in case retest is requested.
  options_status_line = response["status-line"]
  stdnse.print_debug("http-methods.nse: HTTP Status for OPTIONS is " .. response.status)

  if not (response.header["allow"] or response.header["public"]) then
    return string.format("No Allow or Public header in OPTIONS response (status code %d)", response.status)
  end

  -- The Public header is defined in RFC 2068, but was removed in its
  -- successor RFC 2616. It is implemented by at least IIS 6.0.
  methods = merge_headers(response.header, {"Allow", "Public"})

  output = {}

  if nmap.verbosity() > 0 then
    output[#output + 1] = stdnse.strjoin(" ", methods)
  end

  local interesting = filter_out(methods, UNINTERESTING_METHODS)
  if #interesting > 0 then
    output[#output + 1] = "Potentially risky methods: " .. stdnse.strjoin(" ", interesting)
    output[#output + 1] = "See http://nmap.org/nsedoc/scripts/http-methods.html"
  end

  -- retest http methods if requested
  if retest_http_methods then
    local _
    for _, method in ipairs(methods) do
      local str
      if method == "OPTIONS" then
        -- Use the saved value.
        str = options_status_line
      else
        response = http.generic_request(host, port, method, url_path)
        if not response.status then
          str = "Error getting response"
        else
          str = response["status-line"]
        end
      end
      output[#output + 1] = string.format("%s %s -> %s", method, url_path, str)
    end
  end

  return #output > 0 and stdnse.strjoin("\n", output) or nil
end

function filter_out(t, filter)
  local result = {}
  local _, e, f
  for _, e in ipairs(t) do
    if not stdnse.contains(filter, e) then
      result[#result + 1] = e
    end
  end
  return result
end

-- Split header field contents on commas and return a table without duplicates.
function merge_headers(headers, names)
  local seen = {}
  local result = {}

  for _, name in ipairs(names) do
    name = string.lower(name)
    if headers[name] then
      for _, v in ipairs(stdnse.strsplit(",%s*", headers[name])) do
        if not seen[v] then
          result[#result + 1] = v
        end
        seen[v] = true
      end
    end
  end

  return result
end