Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE: http.identify_404 - change to not follow redirects #251

Closed
wants to merge 11 commits into from
Closed

NSE: http.identify_404 - change to not follow redirects #251

wants to merge 11 commits into from

Conversation

TomSellers
Copy link

This PR changes http.identify_404 so that it no longer follows HTTP redirects which caused false positives and other unexpected behavior. The PR also changes calls to this function in certain scripts to be more standardized and return nil instead of false.

Context:

References:
https://nmap.org/nsedoc/lib/http.html#identify_404
https://svn.nmap.org/nmap/nselib/http.lua
http://seclists.org/nmap-dev/2015/q4/186

http.identify_404 is a function that can be used to determine how an HTTP server responds to unknown pages. It can be used, for example, to detect when an HTTP server responds 200 OK to everything which can break a script if it is merely checking the status code when requesting something like /MyAppsSpecialPage.

http.identify_404 follows HTTP redirects which may result in unexpected behavior. I noticed this while testing some changes to a script against a ethernet switch that generates a 302 redirect
response for any request to /. http.identify_404 follows the redirect and then the 'data' variable contains the results for the new location instead of the specific URL that the script was asking for. The identify_404 function has code to deal with redirects and other errors but this won't be triggered if the call to http.get follows it first.

Relevant code is at line 2476 in nselib/http.lua

function identify_404(host, port)
  local data
  local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 }

  -- The URLs used to check 404s
  local URL_404_1 = '/nmaplowercheck' .. os.time(os.date('*t'))
  local URL_404_2 = '/NmapUpperCheck' .. os.time(os.date('*t'))
  local URL_404_3 = '/Nmap/folder/check' .. os.time(os.date('*t'))

  data = get(host, port, URL_404_1)

The key change is in the last line:

data = get(host, port, URL_404_1,{redirect_ok=false})

A review of the scripts where identify_404 is being used did not find any place where it looked like following redirects would be desirable.

@nmap-bot nmap-bot closed this in 58f0032 Dec 5, 2015
@TomSellers TomSellers deleted the nse/http-redirect-issue branch December 5, 2015 11:25
qha pushed a commit to qha/nmap that referenced this pull request Dec 16, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant