Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: http-backup-finder #242

TomSellers opened this issue Nov 24, 2015 · 2 comments

False positive: http-backup-finder #242

TomSellers opened this issue Nov 24, 2015 · 2 comments


Copy link

http-backup-finder.nse generates false positives if the target doesn't have the HEAD verb implemented.

Line 135:

local response = http.head(host, port, escaped_link)
    if http.page_exists(response, res404, known404, escaped_link, true) then
      if ( not(parsed.port) ) then

If the HEAD verb isn't implemented ..

HTTP: Page didn't match the 404 response (501 Not Implemented) (/cgi-bin/dynamic/printer/style_dell.css.~1~)

.. the code detects this as a valid response and adds it to the table.

I can think of three changes that might improve this:

  1. Detect the lack of HEAD and fail.
  2. Detect the lack of HEAD and change to GET
  3. Change the code to just use GET
Copy link

I think option 2 is best. There's a function that can help with this, http.can_use_head.

Copy link

I am about to commit a fix for this that will address three issues, each of which contributed to false positives:

  1. Check to see if the service supports the HTTP HEAD verb before leveraging the results of a HEAD request in the script logic. If HEAD is not supported, switch requests to GET.
  2. Change the HEAD and new GET request so that they do not follow redirects. The status codes and content for the redirect target would be used in the logic instead of the actual script's request resulting in false positives.
  3. Change the value passed to the 'displayall' ( 5th) option of call to http.page_exists [1] from true to false so that 302, 500, etc. HTTP responses will not be considered as validation of existence. A 401 authentication required response is still allowed to cause a URL to be included in the script result.



CC @dmiller-nmap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

2 participants