While creating my own Nmap Script Engine script (NSE) using Nmap version 6.25 I stumbled upon a bug in the nselib/http.lua library.  This bug is seen when an HTTPS website has some 301 redirect rules which redirects to the same HTTPS site but a different folder/format.  After a lot of searching the interwebs I finally found someone with the same issue!  They discovered that Nmap was adding in the port number to the host header when HTTPS/SSL was involved.  Because some HTTPS redirect rules don’t expect this they continue to redirect the redirected URL into a loop to which Nmap never successfully reaches the proper redirected URL.

To fix the issue, Patrick Karlsson posted a small patch to the gargantuan http.lua library (note: the .lua download is at the bottom of this article).

@@ -1106,7 +1106,7 @@
   local mod_options = {
     header = {
       Connection = "close",
-      Host = get_host_field(host, port),
+      Host = stdnse.get_hostname(host),
       ["User-Agent"]  = USER_AGENT
     }
   }

As you can see, this micro-patch only replaces one line, but it gets the job done!  Attached to this post you’ll find the actual http.lua.patch file that can be applied by executing patch <path to nmap>/nselib/http.lua < http.lua.patch

Nmap’s Linux path can generally be found at /usr/local/share/nmap/ or /usr/share/nmap/.

Link to http.lua.patch

Pin It on Pinterest

Share This