While creating my own Nmap Script Engine script (NSE) using Nmap version 6.25 I stumbled upon a bug in the nselib/http.lua library. This bug is seen when an HTTPS website has some 301 redirect rules which redirects to the same HTTPS site but a different folder/format. After a lot of searching the interwebs I finally found someone with the same issue! They discovered that Nmap was adding in the port number to the host header when HTTPS/SSL was involved. Because some HTTPS redirect rules don’t expect this they continue to redirect the redirected URL into a loop to which Nmap never successfully reaches the proper redirected URL.
To fix the issue, Patrick Karlsson posted a small patch to the gargantuan http.lua library (note: the .lua download is at the bottom of this article).
@@ -1106,7 +1106,7 @@
local mod_options = {
header = {
Connection = "close",
- Host = get_host_field(host, port),
+ Host = stdnse.get_hostname(host),
["User-Agent"] = USER_AGENT
}
}
As you can see, this micro-patch only replaces one line, but it gets the job done! Attached to this post you’ll find the actual http.lua.patch file that can be applied by executing patch <path to nmap>/nselib/http.lua < http.lua.patch
Nmap’s Linux path can generally be found at /usr/local/share/nmap/ or /usr/share/nmap/.