Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: http-backup-finder #242

Closed
TomSellers opened this issue Nov 24, 2015 · 2 comments
Closed

False positive: http-backup-finder #242

TomSellers opened this issue Nov 24, 2015 · 2 comments
Labels
bug NSE

Comments

@TomSellers
Copy link

http-backup-finder.nse generates false positives if the target doesn't have the HEAD verb implemented.

Line 135:

local response = http.head(host, port, escaped_link)
    if http.page_exists(response, res404, known404, escaped_link, true) then
      if ( not(parsed.port) ) then
        table.insert(backups,

If the HEAD verb isn't implemented ..

HTTP: Page didn't match the 404 response (501 Not Implemented) (/cgi-bin/dynamic/printer/style_dell.css.~1~)

.. the code detects this as a valid response and adds it to the table.

I can think of three changes that might improve this:

  1. Detect the lack of HEAD and fail.
  2. Detect the lack of HEAD and change to GET
  3. Change the code to just use GET
@dmiller-nmap
Copy link

I think option 2 is best. There's a function that can help with this, http.can_use_head.

@TomSellers
Copy link
Author

I am about to commit a fix for this that will address three issues, each of which contributed to false positives:

  1. Check to see if the service supports the HTTP HEAD verb before leveraging the results of a HEAD request in the script logic. If HEAD is not supported, switch requests to GET.
  2. Change the HEAD and new GET request so that they do not follow redirects. The status codes and content for the redirect target would be used in the logic instead of the actual script's request resulting in false positives.
  3. Change the value passed to the 'displayall' ( 5th) option of call to http.page_exists [1] from true to false so that 302, 500, etc. HTTP responses will not be considered as validation of existence. A 401 authentication required response is still allowed to cause a URL to be included in the script result.

Reference:

  1. https://nmap.org/nsedoc/lib/http.html#page_exists

CC @dmiller-nmap

qha pushed a commit to qha/nmap that referenced this issue Dec 16, 2015
@qha
NSE: http-backup-finder.nse Address 3 sources of false positives. Closes
6b46d8d 
 nmap#242
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug NSE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TomSellers @dmiller-nmap