Skip to content
master
Go to file
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Sep 18, 2017

README.md

optionsbleed

This is a proof of concept code to test for the Optionsbleed bug in Apache httpd (CVE-2017-9798).

Please consider using the tool Snallygaster instead, it has a check for optionsbleed included:

snallygaster -t optionsbleed [host]

usage

optionsbleed [-h] [-n N] [-a] [-u] hosttocheck

Check for the Optionsbleed vulnerability (CVE-2017-9798).

positional arguments:
  hosttocheck  The hostname you want to test against

optional arguments:
  -h, --help   show this help message and exit
  -n N         number of tests (default 10)
  -a, --all    show headers from hosts without problems
  -u, --url    pass URL instead of hostname

Tests server for Optionsbleed bug and other bugs in the allow header.

Automatically checks http://, https://, http://www. and https://www. -
except if you pass -u/--url (which means by default we check 40 times.)

output explanation

The script outputs the returned Allow header and prefixes it with an explanation what is wrong with it. By default there will be no output if the server is not vulnerable, this can be changed with the -a/--all parameter.

[bleed]

A corrupted header was sent, very likely the Optionsbleed bug.

[empty]

An empty header was sent, which is bogus.

[spaces]

The list of methods was space-separated instead of comma-separated.

This is a bug, but harmless. It may be Launchpad bug #1717682.

[duplicates]

Some methods were sent multiple times in the list.

This is a bug, but harmless. It may be Apache bug #61207.

[ok]

Nothing wrong with this header (only sent with -a/--all).

About

No description, website, or topics provided.

Resources

License

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.