NSE: http.identify_404 - change to not follow redirects #251

Closed
wants to merge 11 commits into
from

Projects

None yet

1 participant

@TomSellers

This PR changes http.identify_404 so that it no longer follows HTTP redirects which caused false positives and other unexpected behavior. The PR also changes calls to this function in certain scripts to be more standardized and return nil instead of false.

Context:

References:
https://nmap.org/nsedoc/lib/http.html#identify_404
https://svn.nmap.org/nmap/nselib/http.lua
http://seclists.org/nmap-dev/2015/q4/186

http.identify_404 is a function that can be used to determine how an HTTP server responds to unknown pages. It can be used, for example, to detect when an HTTP server responds 200 OK to everything which can break a script if it is merely checking the status code when requesting something like /MyAppsSpecialPage.

http.identify_404 follows HTTP redirects which may result in unexpected behavior. I noticed this while testing some changes to a script against a ethernet switch that generates a 302 redirect
response for any request to /. http.identify_404 follows the redirect and then the 'data' variable contains the results for the new location instead of the specific URL that the script was asking for. The identify_404 function has code to deal with redirects and other errors but this won't be triggered if the call to http.get follows it first.

Relevant code is at line 2476 in nselib/http.lua

function identify_404(host, port)
  local data
  local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 }

  -- The URLs used to check 404s
  local URL_404_1 = '/nmaplowercheck' .. os.time(os.date('*t'))
  local URL_404_2 = '/NmapUpperCheck' .. os.time(os.date('*t'))
  local URL_404_3 = '/Nmap/folder/check' .. os.time(os.date('*t'))

  data = get(host, port, URL_404_1)

The key change is in the last line:

data = get(host, port, URL_404_1,{redirect_ok=false})

A review of the scripts where identify_404 is being used did not find any place where it looked like following redirects would be desirable.

@nmap-bot nmap-bot pushed a commit that closed this pull request Dec 5, 2015
tomsellers NSE: Prevent http.identify_404 from following HTTP redirects, standar…
…dize calls to it. Closes #251
58f0032
@nmap-bot nmap-bot closed this in 58f0032 Dec 5, 2015
@TomSellers TomSellers deleted the unknown repository branch Dec 5, 2015
@qha qha added a commit to qha/nmap that referenced this pull request Dec 16, 2015
@qha tomsellers + qha NSE: Prevent http.identify_404 from following HTTP redirects, standar…
…dize calls to it. Closes #251
b4c5c45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment