Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-methods

Script types: portrule
Categories: default, safe
Download: http://nmap.org/svn/scripts/http-methods.nse

User Summary

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions.

In this script, "potentially risky" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure. This page lists the dangers of some common methods:

http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

The list of supported methods comes from the contents of the Allow and Public header fields. In verbose mode, a list of all methods is printed, followed by the list of potentially risky methods. Without verbose mode, only the potentially risky methods are shown.

Script Arguments

http-methods.retest

If defined, do a request using each method individually and show the response code. Use of this argument can make this script unsafe; for example DELETE / is possible.

http-methods.url-path

The path to request. Defaults to /.

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap --script=http-methods.nse --script-args http-methods.retest=1 <target>
nmap --script=http-methods.nse --script-args http-methods.url-path=/website <target>

Script Output

80/tcp open  http
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
| See http://nmap.org/nsedoc/scripts/http-methods.html
| GET / -> HTTP/1.1 200 OK
| HEAD / -> HTTP/1.1 200 OK
| POST / -> HTTP/1.1 200 OK
| OPTIONS / -> HTTP/1.1 200 OK
|_TRACE / -> HTTP/1.1 200 OK

Requires


Author: Bernd Stroessenreuther <berny1@users.sourceforge.net>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]