Nmap NSE net: http-methods

2011-06-01T00:00:00
ID OPENVAS:104075
Type openvas
Reporter NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH
Modified 2017-03-06T00:00:00

Description

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions.

In this script, 'potentially risky' methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure. This page lists the dangers of some common methods:

http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

The list of supported methods comes from the contents of the Allow and Public header fields. In verbose mode, a list of all methods is printed, followed by the list of potentially risky methods. Without verbose mode, only the potentially risky methods are shown.

SYNTAX:

http-methods.url-path: The path to request. Defaults to '/'.

http.useragent: The value of the User-Agent header field sent with requests. By default it is ''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''. A value of the empty string disables sending the User-Agent header field.

http-methods.retest: If defined, do a request using each method individually and show the response code. Use of this argument can make this script unsafe; for example 'DELETE /' is possible.

http-max-cache-size: The maximum memory size (in bytes) of the cache.

http.pipeline: If set, it represents the number of HTTP requests that'll be pipelined (ie, sent in a single request). This can be set low to make debugging easier, or it can be set high to test how a server reacts (its chosen max is ignored).

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_nmap_http_methods_net.nasl 5499 2017-03-06 13:06:09Z teissa $
#
# Autogenerated NSE wrapper
#
# Authors:
# NSE-Script: Bernd Stroessenreuther <berny1@users.sourceforge.net>
# NASL-Wrapper: autogenerated
#
# Copyright:
# NSE-Script: The Nmap Security Scanner (http://nmap.org)
# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_summary = "Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists
potentially risky methods. Optionally tests each method individually to see if they are subject to
e.g. IP address restrictions.

In this script, 'potentially risky' methods are anything except GET, HEAD, POST, and OPTIONS. If the
script reports potentially risky methods, they may not all be security risks, but you should check
to make sure. This page lists the dangers of some common methods:

http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

The list of supported methods comes from the contents of the Allow and Public header fields. In
verbose mode, a list of all methods is printed, followed by the list of potentially risky methods.
Without verbose mode, only the potentially risky methods are shown.


SYNTAX:

http-methods.url-path:  The path to request. Defaults to
'/'.


http.useragent:  The value of the User-Agent header field sent with
requests. By default it is
''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.
A value of the empty string disables sending the User-Agent header field.



http-methods.retest:  If defined, do a request using each method
individually and show the response code. Use of this argument can
make this script unsafe; for example 'DELETE /' is
possible.



http-max-cache-size:  The maximum memory size (in bytes) of the cache.



http.pipeline:  If set, it represents the number of HTTP requests that'll be
pipelined (ie, sent in a single request). This can be set low to make
debugging easier, or it can be set high to test how a server reacts (its
chosen max is ignored).";

if(description)
{
    script_id(104075);
    script_version("$Revision: 5499 $");
    script_tag(name:"last_modification", value:"$Date: 2017-03-06 14:06:09 +0100 (Mon, 06 Mar 2017) $");
    script_tag(name:"creation_date", value:"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)");
    script_tag(name:"cvss_base", value:"0.0");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
    script_name("Nmap NSE net: http-methods");


    script_category(ACT_INIT);
    script_tag(name:"qod_type", value:"remote_analysis");
    script_copyright("NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH");
    script_family("Nmap NSE net");
    script_dependencies("nmap_nse_net.nasl");
    script_mandatory_keys("Tools/Launch/nmap_nse_net");

    script_add_preference(name:"http-methods.url-path", value:"", type:"entry");
    script_add_preference(name:"http.useragent", value:"", type:"entry");
    script_add_preference(name:"http-methods.retest", value:"", type:"entry");
    script_add_preference(name:"http-max-cache-size", value:"", type:"entry");
    script_add_preference(name:"http.pipeline", value:"", type:"entry");

    script_tag(name : "summary" , value : tag_summary);
    exit(0);
}


include("nmap.inc");


phase = 0;
if (defined_func("scan_phase")) {
    phase = scan_phase();
}

if (phase == 1) {
    # Get the preferences
    argv = make_array();

    pref = script_get_preference("http-methods.url-path");
    if (!isnull(pref) && pref != "") {
        argv["http-methods.url-path"] = string('"', pref, '"');
    }
    pref = script_get_preference("http.useragent");
    if (!isnull(pref) && pref != "") {
        argv["http.useragent"] = string('"', pref, '"');
    }
    pref = script_get_preference("http-methods.retest");
    if (!isnull(pref) && pref != "") {
        argv["http-methods.retest"] = string('"', pref, '"');
    }
    pref = script_get_preference("http-max-cache-size");
    if (!isnull(pref) && pref != "") {
        argv["http-max-cache-size"] = string('"', pref, '"');
    }
    pref = script_get_preference("http.pipeline");
    if (!isnull(pref) && pref != "") {
        argv["http.pipeline"] = string('"', pref, '"');
    }
    nmap_nse_register(script:"http-methods", args:argv);
} else if (phase == 2) {
    res = nmap_nse_get_results(script:"http-methods");
    foreach portspec (keys(res)) {
        output_banner = 'Result found by Nmap Security Scanner (http-methods.nse) http://nmap.org:\n\n';
        if (portspec == "0") {
            log_message(data:output_banner + res[portspec], port:0);
        } else {
            v = split(portspec, sep:"/", keep:0);
            proto = v[0];
            port = v[1];
            log_message(data:output_banner + res[portspec], port:port, protocol:proto);
        }
    }
}