local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Finds out what options are supported by an HTTP server by sending an
OPTIONS request. Lists potentially risky methods. It tests those methods
not mentioned in the OPTIONS headers individually and sees if they are
implemented. Any output other than 501/405 suggests that the method is
enabled.

In this script, "potentially risky" methods are anything except GET,
HEAD, POST, and OPTIONS. If the script reports potentially risky
methods, they may not all be security risks, but you should check to
make sure. This page lists the dangers of some common methods:

http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29

The list of supported methods comes from the contents of the Allow and
Public header fields. In verbose mode, a list of all methods is printed,
followed by the list of potentially risky methods. Without verbose mode,
only the potentially risky methods are shown.
]]

---
-- @args url-path The path to request. Defaults to
-- <code>/</code>.
-- @args retest If defined, do a request using each method
-- individually and show the response code. Use of this argument can
-- make this script unsafe; for example <code>DELETE /</code> is
-- possible. All methods received through options are tested with generic
-- requests. Saved status lines are shown for rest.
-- @args test-all If set true tries all the unsafe methods as well.
-- @output
-- | http-methods: 
-- |   Supported Methods: GET HEAD OPTIONS PUT CONNECT TRACE
-- |   Potentially risky methods: PUT CONNECT TRACE
-- |   See http://nmap.org/nsedoc/scripts/http-methods.html
-- |   GET / -> HTTP/1.1 200 OK
-- |   HEAD / -> HTTP/1.1 200 OK
-- |   OPTIONS / -> HTTP/1.1 200 OK
-- |   PUT / -> HTTP/1.1 200 OK
-- |   CONNECT / -> HTTP/1.1 200 OK
-- |_  TRACE / -> HTTP/1.1 200 OK
--
-- @usage
-- nmap --script http-methods --script-args retest= true <target>
-- nmap --script http-methods --script-args url-path=/website <target>

author = "Bernd Stroessenreuther <berny1@users.sourceforge.net>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default", "safe"}

local function check_allowed(random_resp, response)
  if response.status == 405 or response.status == 501 then
    return false
  end
  if response.status < 600 and response.status >= 400 and response.status == random_resp.status then
    return false
  end
  return true
end
-- We don't report these methods except with verbosity.
local SAFE_METHODS = {
  "GET", "HEAD", "POST", "OPTIONS"
}

local UNSAFE_METHODS = {
"DELETE", "PUT", "CONNECT", "TRACE"
}

local filter_out, merge_headers

portrule = shortport.http

action = function(host, port)
  
  local url_path, retest_http_methods
  local response, methods, options_status_line
  local output = stdnse.output_table()
  local options_status = true

  -- default values for script-args
  url_path = stdnse.get_script_args(SCRIPT_NAME .. ".url-path") or "/"
  retest_http_methods = stdnse.get_script_args(SCRIPT_NAME .. ".retest") or false
  test_all_unsafe = stdnse.get_script_args(SCRIPT_NAME .. ".test-all") or false
  
  response = http.generic_request(host, port, "OPTIONS", url_path)
  if not response.status then
    options_status = false
    stdnse.debug1("OPTIONS %s failed.", url_path)
  end
  -- Cache in case retest is requested.
  if options_status then
    options_status_line = response["status-line"]
    stdnse.debug1("HTTP Status for OPTIONS is " .. response.status)
    if not(response.header["allow"] or response.header["public"]) then
      stdnse.debug1("No Allow or Public header in OPTIONS response (status code %d)", response.status)
    end
  end

  -- The Public header is defined in RFC 2068, but was removed in its
  -- successor RFC 2616. It is implemented by at least IIS 6.0.
  methods = merge_headers(response.header, {"Allow", "Public"})

  output = {}

  local to_test = {}
  local status_lines = {}

  for _, method in pairs(SAFE_METHODS) do
    if not stdnse.contains(methods, method) then
      table.insert(to_test, method)
    end
  end

  if test_all_unsafe then
    for _, method in pairs(UNSAFE_METHODS) do
      if not stdnse.contains(methods, method) then
        table.insert(to_test, method)
      end
    end
  end

  local random_resp = http.generic_request(host, port, stdnse.generate_random_string(4), url_path)
  stdnse.debug1("Response Code to Random Method is %d", random_resp.status or nil)
  for _, method in pairs(to_test) do
    response = http.generic_request(host, port, method, url_path)
    if response.status and check_allowed(random_resp, response) then
      stdnse.debug1("Method %s not in OPTIONS found to exist. STATUS %d", method, response.status)
      table.insert(methods, method)
      status_lines[method] = response['status-line']
    end
  end

  if nmap.verbosity() > 0 and #methods > 0 then
    table.insert(output, "Supported Methods: " .. stdnse.strjoin(" ", methods))
  end

  local interesting = filter_out(methods, SAFE_METHODS)
  if #interesting > 0 then
    table.insert(output, "Potentially risky methods: " .. stdnse.strjoin(" ", interesting))
    table.insert(output, "See http://nmap.org/nsedoc/scripts/http-methods.html")
  end

  -- retest http methods if requested
  if retest_http_methods then
    for _, method in ipairs(methods) do
      local str
      if method == "OPTIONS" then
        -- Use the saved value.
        str = options_status_line
      elseif stdnse.contains(to_test, method) then
        -- use the value saved earlier.
        str = status_lines[method] 
      else
        response = http.generic_request(host, port, method, url_path)
        if not response.status then
          str = "Error getting response"
        else
          str = response["status-line"]
        end
      end
      str = string.format("%s %s -> %s", method, url_path, str)
      table.insert(output, str:sub(1, str:find('\n') -1 ))
    end
  end
  if #output > 0 then return output else return nil end
end

function filter_out(t, filter)
  local result = {}
  local _, e, f
  for _, e in ipairs(t) do
    if not stdnse.contains(filter, e) then
      result[#result + 1] = e
    end
  end
  return result
end

-- Split header field contents on commas and return a table without duplicates.
function merge_headers(headers, names)
  local seen = {}
  local result = {}

  for _, name in ipairs(names) do
    name = string.lower(name)
    if headers[name] then
      for _, v in ipairs(stdnse.strsplit(",%s*", headers[name])) do
        if not seen[v] then
          result[#result + 1] = v
        end
        seen[v] = true
      end
    end
  end

  return result
end