New script-arg http.host to force a particular Host header. Closes nm…

…ap#1251
rapid7 · Jul 12, 2018 · 5318e42 · 5318e42
1 parent e16b6bf
commit 5318e42
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#1251] New script-arg `http.host` allows users to force a particular
+  value for the Host header in all HTTP requests.
+
 o [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead of
   "example.com" in EHLO command used for STARTTLS. [gwire]
 

diff --git a/nselib/http.lua b/nselib/http.lua
@@ -102,6 +102,10 @@
 -- that should be pipelined. Defaults to <code>http.pipeline</code> (if set), or to what
 -- <code>getPipelineMax</code> function returns.
 --
+-- @args http.host The value to use in the Host header of all requests unless
+-- otherwise set. By default, the Host header uses the output of
+-- <code>stdnse.get_hostname()</code>.
+
 -- TODO
 -- Implement cache system for http pipelines
 --
@@ -130,6 +134,7 @@ _ENV = stdnse.module("http", stdnse.seeall)
 local have_ssl, openssl = pcall(require,'openssl')
 
 USER_AGENT = stdnse.get_script_args('http.useragent') or "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
+local host_header = stdnse.get_script_args('http.host')
 local MAX_REDIRECT_COUNT = 5
 
 -- Recursively copy a table.
@@ -166,6 +171,7 @@ local get_default_port = url.get_default_port
 --- Get a value suitable for the Host header field.
 -- See RFC 2616 sections 14.23 and 5.2.
 local function get_host_field(host, port)
+  if host_header then return host_header end
   if not host then return nil end
   if type(port) == "number" then
     port = {number=port, protocol="tcp", state="open", version={}}