Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

NSE: http.identify_404 - change to not follow redirects #251

Closed
wants to merge 11 commits into
from

Conversation

Projects
None yet
1 participant

This PR changes http.identify_404 so that it no longer follows HTTP redirects which caused false positives and other unexpected behavior. The PR also changes calls to this function in certain scripts to be more standardized and return nil instead of false.

Context:

References:
https://nmap.org/nsedoc/lib/http.html#identify_404
https://svn.nmap.org/nmap/nselib/http.lua
http://seclists.org/nmap-dev/2015/q4/186

http.identify_404 is a function that can be used to determine how an HTTP server responds to unknown pages. It can be used, for example, to detect when an HTTP server responds 200 OK to everything which can break a script if it is merely checking the status code when requesting something like /MyAppsSpecialPage.

http.identify_404 follows HTTP redirects which may result in unexpected behavior. I noticed this while testing some changes to a script against a ethernet switch that generates a 302 redirect
response for any request to /. http.identify_404 follows the redirect and then the 'data' variable contains the results for the new location instead of the specific URL that the script was asking for. The identify_404 function has code to deal with redirects and other errors but this won't be triggered if the call to http.get follows it first.

Relevant code is at line 2476 in nselib/http.lua

function identify_404(host, port)
  local data
  local bad_responses = { 301, 302, 400, 401, 403, 499, 501, 503 }

  -- The URLs used to check 404s
  local URL_404_1 = '/nmaplowercheck' .. os.time(os.date('*t'))
  local URL_404_2 = '/NmapUpperCheck' .. os.time(os.date('*t'))
  local URL_404_3 = '/Nmap/folder/check' .. os.time(os.date('*t'))

  data = get(host, port, URL_404_1)

The key change is in the last line:

data = get(host, port, URL_404_1,{redirect_ok=false})

A review of the scripts where identify_404 is being used did not find any place where it looked like following redirects would be desirable.

@nmap-bot nmap-bot closed this in 58f0032 Dec 5, 2015

@TomSellers TomSellers deleted the TomSellers:nse/http-redirect-issue branch Dec 5, 2015

qha added a commit to qha/nmap that referenced this pull request Dec 16, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment