Problems with 302 Redirects

[at-ACOnet-CERT]

Hi, thank you for the fine .nse, we're getting tons of results already. As we are scanning based on ip addresses, an issue comes up everytime a web server redirects the request to it's domain name. Here's what happens (IP address redacted, obvioulsy):

/usr/local/bin/nmap -Pn --host-timeout 30s -n --script support/http-vuln-exchange.nse -p 443 -d 256.257.258.259 gives

[...]
NSE: http-vuln-exchange against 256.257.258.259:443 threw an error!
support/http-vuln-exchange.nse:131: attempt to concatenate field 'location' (a table value)
stack traceback:
        support/http-vuln-exchange.nse:121: in function <support/http-vuln-exchange.nse:115>
        (...tail calls...)
[...]

I'm completely new to .nse and lua, but as far as I understand it, there are actually two problems here:

1. The default redirect_ok-script isn't fine with a redirect from ip address to fqdn (that's how I read the docs), thus http.get() returns an answer with status 302 instead of chasing the redirect
2. The concatenation fails because answer.location is a table, not a string

I'd like to propose a patch that seems to fix the problem for me.

/!\ Be aware that this version, after chasing the redirects, might end up on another machine than the one originally called.

*** /home/acocert/lib/http-vuln-exchange.nse    2021-03-05 14:48:51.000000000 +0100
--- support/http-vuln-exchange.nse      2021-03-05 17:03:58.000000000 +0100
***************
*** 112,124 ****
    end
  end
  
  action = function(host, port)
    local dis_count, noun
!   options = {header={}}    options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
    local answer = http.get(host, port, "/owa", options )
  
    if answer.status == 302 then
!     return "Error 302 " .. answer.location
    elseif answer.status ~= 200 then
      return "Error " .. tostring(answer.status) .. " for /owa"
    end
--- 112,133 ----
    end
  end
  
+ redirect_ok = function(host,port)
+      local c = 3
+      return function(url)
+        if ( c==0 ) then return false end
+        c = c - 1
+        return true
+      end
+    end
+ 
  action = function(host, port)
    local dis_count, noun
!   options = {header={}, redirect_ok=redirect_ok}    options['header']['User-Agent'] = "Mozilla/5.0 (Exchange check)"
    local answer = http.get(host, port, "/owa", options )
  
    if answer.status == 302 then
!     return "Error 302 " .. answer.location[1]
    elseif answer.status ~= 200 then
      return "Error " .. tostring(answer.status) .. " for /owa"
    end

Credits: redirect_ok is blatantly stolen from https://github.com/nmap/nmap/blob/master/nselib/http.lua

[nider]

@at-ACOnet-CERT I'm curious what the other values of the array/table are for those cases where you've been redirected from IP to FQDN? cf. my further comments regarding redirects in #8