NSE: http.identify_404 - change to not follow redirects #251
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes http.identify_404 so that it no longer follows HTTP redirects which caused false positives and other unexpected behavior. The PR also changes calls to this function in certain scripts to be more standardized and return nil instead of false.
Context:
References:
https://nmap.org/nsedoc/lib/http.html#identify_404
https://svn.nmap.org/nmap/nselib/http.lua
http://seclists.org/nmap-dev/2015/q4/186
http.identify_404 is a function that can be used to determine how an HTTP server responds to unknown pages. It can be used, for example, to detect when an HTTP server responds 200 OK to everything which can break a script if it is merely checking the status code when requesting something like /MyAppsSpecialPage.
http.identify_404 follows HTTP redirects which may result in unexpected behavior. I noticed this while testing some changes to a script against a ethernet switch that generates a 302 redirect
response for any request to /. http.identify_404 follows the redirect and then the 'data' variable contains the results for the new location instead of the specific URL that the script was asking for. The identify_404 function has code to deal with redirects and other errors but this won't be triggered if the call to http.get follows it first.
Relevant code is at line 2476 in nselib/http.lua
The key change is in the last line:
A review of the scripts where identify_404 is being used did not find any place where it looked like following redirects would be desirable.