Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-method-tamper

Script types: portrule
Categories: auth, vuln
Download: http://nmap.org/svn/scripts/http-method-tamper.nse

User Summary

Attempts to bypass password protected resources (HTTP 401 status) by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds.

The script determines if the protected URI is vulnerable by performing HTTP verb tampering and monitoring the status codes. First, it uses a HEAD request, then a POST request and finally a random generated string ( This last one is useful when web servers treat unknown request methods as a GET request. This is the case for PHP servers ).

If the table paths is set, it will attempt to access the given URIs. Otherwise, a web crawler is initiated to try to find protected resources. Note that in a PHP environment with .htaccess files you need to specify a path to a file rather than a directory to find misconfigured .htaccess files.

References:

Script Arguments

http-method-tamper.timeout

Web crawler timeout. Default: 10s

http-method-tamper.uri

Base URI to crawl. Not applicable if http-method-tamper.paths is set.

http-method-tamper.paths

Array of paths to check. If not set, the script will crawl the web server.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

Example Usage

  • nmap -sV --script http-method-tamper <target>
  • nmap -p80 --script http-method-tamper --script-args 'http-method-tamper.paths={/protected/db.php,/protected/index.php}' <target>
    

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-method-tamper:
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|     Description:
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|
|     Extra information:
|
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     /method-tamper/protected/pass.txt [POST]
|
|     References:
|       http://www.imperva.com/resources/glossary/http_verb_tampering.html
|       http://www.mkit.com.ar/labs/htexploit/
|       http://capec.mitre.org/data/definitions/274.html
|_      https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

Requires


Author: Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault