New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: http-backup-finder #242

Closed
TomSellers opened this Issue Nov 24, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@TomSellers

TomSellers commented Nov 24, 2015

http-backup-finder.nse generates false positives if the target doesn't have the HEAD verb implemented.

Line 135:

local response = http.head(host, port, escaped_link)
    if http.page_exists(response, res404, known404, escaped_link, true) then
      if ( not(parsed.port) ) then
        table.insert(backups,

If the HEAD verb isn't implemented ..

HTTP: Page didn't match the 404 response (501 Not Implemented) (/cgi-bin/dynamic/printer/style_dell.css.~1~)

.. the code detects this as a valid response and adds it to the table.

I can think of three changes that might improve this:

  1. Detect the lack of HEAD and fail.
  2. Detect the lack of HEAD and change to GET
  3. Change the code to just use GET
@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Nov 29, 2015

I think option 2 is best. There's a function that can help with this, http.can_use_head.

dmiller-nmap commented Nov 29, 2015

I think option 2 is best. There's a function that can help with this, http.can_use_head.

@TomSellers

This comment has been minimized.

Show comment
Hide comment
@TomSellers

TomSellers Dec 13, 2015

I am about to commit a fix for this that will address three issues, each of which contributed to false positives:

  1. Check to see if the service supports the HTTP HEAD verb before leveraging the results of a HEAD request in the script logic. If HEAD is not supported, switch requests to GET.
  2. Change the HEAD and new GET request so that they do not follow redirects. The status codes and content for the redirect target would be used in the logic instead of the actual script's request resulting in false positives.
  3. Change the value passed to the 'displayall' ( 5th) option of call to http.page_exists [1] from true to false so that 302, 500, etc. HTTP responses will not be considered as validation of existence. A 401 authentication required response is still allowed to cause a URL to be included in the script result.

Reference:

  1. https://nmap.org/nsedoc/lib/http.html#page_exists

CC @dmiller-nmap

TomSellers commented Dec 13, 2015

I am about to commit a fix for this that will address three issues, each of which contributed to false positives:

  1. Check to see if the service supports the HTTP HEAD verb before leveraging the results of a HEAD request in the script logic. If HEAD is not supported, switch requests to GET.
  2. Change the HEAD and new GET request so that they do not follow redirects. The status codes and content for the redirect target would be used in the logic instead of the actual script's request resulting in false positives.
  3. Change the value passed to the 'displayall' ( 5th) option of call to http.page_exists [1] from true to false so that 302, 500, etc. HTTP responses will not be considered as validation of existence. A 401 authentication required response is still allowed to cause a URL to be included in the script result.

Reference:

  1. https://nmap.org/nsedoc/lib/http.html#page_exists

CC @dmiller-nmap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment