False positive: http-backup-finder #242

Closed
TomSellers opened this Issue Nov 24, 2015 · 2 comments

Projects

None yet

2 participants

@TomSellers

http-backup-finder.nse generates false positives if the target doesn't have the HEAD verb implemented.

Line 135:

local response = http.head(host, port, escaped_link)
    if http.page_exists(response, res404, known404, escaped_link, true) then
      if ( not(parsed.port) ) then
        table.insert(backups,

If the HEAD verb isn't implemented ..

HTTP: Page didn't match the 404 response (501 Not Implemented) (/cgi-bin/dynamic/printer/style_dell.css.~1~)

.. the code detects this as a valid response and adds it to the table.

I can think of three changes that might improve this:

  1. Detect the lack of HEAD and fail.
  2. Detect the lack of HEAD and change to GET
  3. Change the code to just use GET
@dmiller-nmap

I think option 2 is best. There's a function that can help with this, http.can_use_head.

@TomSellers

I am about to commit a fix for this that will address three issues, each of which contributed to false positives:

  1. Check to see if the service supports the HTTP HEAD verb before leveraging the results of a HEAD request in the script logic. If HEAD is not supported, switch requests to GET.
  2. Change the HEAD and new GET request so that they do not follow redirects. The status codes and content for the redirect target would be used in the logic instead of the actual script's request resulting in false positives.
  3. Change the value passed to the 'displayall' ( 5th) option of call to http.page_exists [1] from true to false so that 302, 500, etc. HTTP responses will not be considered as validation of existence. A 401 authentication required response is still allowed to cause a URL to be included in the script result.

Reference:

  1. https://nmap.org/nsedoc/lib/http.html#page_exists

CC @dmiller-nmap

@nmap-bot nmap-bot closed this in 25c891d Dec 13, 2015
@qha qha added a commit to qha/nmap that referenced this issue Dec 16, 2015
@qha tomsellers + qha NSE: http-backup-finder.nse Address 3 sources of false positives. Clo…
…ses #242
6b46d8d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment