#VERSION,1.03
#LASTMOD,01.22.2003
# HTTP Options check
# see RFC 2626 for info...

# This software is distributed under the terms of the GPL, which should have been received
# with a copy of this software in the "LICENSE.txt" file.

# this just gets the options & checks 'em out.

sub nikto_httpoptions
{
 (my $RES , $CONTENT) = fetch("/","OPTIONS");

 $NIKTO{methods}=$result{allow};
 
 # proxy can impose it's methods... need to actually check this not just warn
 my $TXT="";
 if ($SERVER{useproxy} ne "") { $TXT="(May be proxy's methods, not server's)"; }

 if ($NIKTO{methods} ne "")
    { fprint("+ Allowed HTTP Methods: $NIKTO{methods} $TXT\n"); }

 # now the warnings...
 if ($NIKTO{methods} =~ /put/i) 
    { fprint("+ HTTP method 'PUT' method may allow clients to save files on the web server.\n"); }

 if ($NIKTO{methods} =~ /connect/i) 
    { fprint("+ HTTP method 'CONNECT' may allow server to proxy client requests.\n"); }

 if ($NIKTO{methods} =~ /delete/i) 
    { fprint("+ HTTP method 'DELETE' may allow clients to remove files on the web server.\n"); }

 if ($NIKTO{methods} =~ /propfind/i) 
    { fprint("+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may allow DAV authorized users to consume system memory via large requests or fill disk quotas.\n"); }

 if ($NIKTO{methods} =~ /proppatch/i) 
    { fprint("+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed. This may allow DAV authorized users to consume system memory via large requests or fill disk quotas.\n"); }
    
 if ($NIKTO{methods} =~ /trace/i) 
    { fprint("+ HTTP method 'TRACE' may allow client XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details.\n"); }
 
 if ($NIKTO{methods} =~ /track/i) 
    { fprint("+ HTTP method 'TRACK' ('TRACE' alias) may allow client XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details.\n"); }

}

1;