CLi tools helping to forge HTTP smuggling attack and others

Overview

HTTPCustomHouse


CLi tools helping to forge HTTP smuggling attack and others

(httpcustomhouse)
Analyze smuggled request without interacting with remote server.

(httpoverride)
Manipulate HTTP raw request to sharpen attack.

(httpclient)
Send HTTP raw request to perform the attack

👁️ • 🔨 • 📬

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests (more). The aim is to perform request smuggling from command line. It can't totally replace Burp Suite (or other GUI) but it proposes another approach, with more CLi. In order to offer a fully CLi experience while manipulating HTTP packets, these tools can be used with httpecho which could help construct HTTP raw request.

Why That?

  • To learn
  • Be able to solve challenge from CLi enable us to script resolution, automate exploit etc ...
  • curl, go http client, ncat, openssl s_client aren't fully satisfying especially when dealing with "malformed http request"

Real example:

Usage

👁️ httpcustomhouse

> allow you to reproduce HTTP request processing without interacting with online server

Show corresponding request treated by a server based on Content-Length Header treatment:

cat samples/te.cl | httpcustomhouse -cl

If the Content-Length is larger than the body size, the number of remaining bytes will be echoed

Show corresponding request treated by a server based on chunk encoding treatment:

cat samples/cl.te | httpcustomhouse -te

Show the residue of the request that has not been treated (in stderr):

cat samples/cl.te | httpcustomhouse -te -r
# -r (or --residue) works also for -cl

Demo: ( 🖼️ ) Visualize TE.CL

🔨 httpoverride

> help to modify http request

Override/Modify Header of an HTTP request:

cat [raw_request] | httpoverride -H "Content-Length:55" -A "Host: spoofed.com"
# -A add header, -H override header

Remove Header of an HTTP request:

cat [raw_request] | httpoverride -H "Accept:" # or -H "Accept"

📬 httpclient

> transmit HTTP request to server (HTTP client)

Send a HTTP raw request:

httpclient [protocol]:[url]:[port]  # port is falcultative https -> 443, http -> 80

Install

# From Release:
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpcustomhouse && chmod +x httpcustomhouse
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpoverride && chmod +x httpoverride
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpclient && chmod +x httpclient
# With go:
go install github.com/ariary/HTTPCustomHouse/cmd/httpcustomhouse@latest
go install github.com/ariary/HTTPCustomHouse/cmd/httpclient@latest
go install github.com/ariary/HTTPCustomHouse/cmd/httpoverride@latest

"HTTP Request Smuggling" Kezako?

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests. It was discover in 2005, and repopularized by PortSwigger's research.

It happends when users send requests to a front-end server (load balancer or reverse proxy) and this server forwards requests to one or more back-end servers.

When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection (efficient and performant). The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins. HTTP request smugging consist of luring backend server in its HTTP request parsing to make requests getting interpreted differently by the front-end and back-end systems (failed to adequatly determine begins & ends of requets)

We have 3 possibilities:

  • CL.TE: Front end uses Content-Length header and the back end uses Transfer-Encoding
  • TE.CL: Front end: Transfer-Encoding, back end: Content-Length. (Fake Content-Length)
  • TE.TE: Both server use Transfer-Encoding but one of those can be induced to not process it by obfuscating the header in some way

Building HTTP request

As httpcustomhouse use raw HTTP request as input you need to be able to construct it. There are several ways:

  • Intercept request with burp, mitmproxy and save it to a file
  • Use curl and an HTTP echo-server to see sent request and save it to a file (SUGGESTED)
  • Take inspiration from the templates present in samples directory

⚠️ : It is important to embed \r character and other special characaters in your request file. Edit request with an editor could withdraw them. use cat -A to see them. For example, in chunk encoding the final 0 must be followed by \r\n\r\n.

Use echo server

First, set up an echo server:

httpecho -d raw
# will save request in "raw" file

And then Make your curl request specifying your echo server as a proxy (the request won't reach the end server):

curl --proxy http://localhost:[port] ...REQUEST...

Alternatives

Socat

Constantly server + see \r character

The one-liner:

socat -v -v TCP-LISTEN:8888,crlf,reuseaddr,fork SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; cat"
netcat

Serve 1 request + save it in a file

The one-liner:

myfile 2>/dev/null &">
nc -lp 8888 -c "tee myfile"
## or nc -nlvp 8888 > myfile  2>/dev/null &

Send raw HTTP request

As we deal with HTTP raw request we must be able to send them. httpclient is the equivalent of curl for raw request.

Why?

  • curl & go http client rewrite http request (this is not satisfying for web pentest in general)
  • ncat and openssl s_client aren't fully satisfying also
cat [raw_request] | httpclient https://[URL]:[PORT]

Alternatives

When you request is good, send it:

cat [raw_request] | openssl s_client -ign_eof -connect [target_url]:443
#or use ncat from nmap package
cat [raw_request]| ncat --ssl [target_url] 443
# or if target does not use tls/ssl
cat [raw_request] | nc -q 5 [target_url] 80 # or -w 5
You might also like...
Syno-cli - Synology unofficial API CLI and library

Synology CLI Unofficial wrapper over Synology API in Go. Focus on administrative

Nebula Diagnosis CLI Tool is an information diagnosis cli tool for the nebula service and the node to which the service belongs.

Nebula Diagnosis CLI Tool is an information diagnosis cli tool for the nebula service and the node to which the service belongs.

Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.
Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.

Process Monitor for Linux (Preview) Process Monitor (Procmon) is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools

Command line tools for creating and compiling JavaScript Minecraft plugins.

@customrealms/cli CustomRealms command-line tools for setting up and compiling JavaScript Minecraft plugins. Installation Install the CLI on your comp

Inotify-tools is a C library and a set of command-line programs providing a simple interface to inotify.

inotify-tools This is a package of some commandline utilities relating to inotify. The general purpose of this package is to allow inotify's features

Go-utils - Multiple tools and example for golang

go-utils Description Multiple tools and example for golang database : example to

Trzsz-go - A simple file transfer tools, similar to lrzsz ( rz / sz ), and compatible with tmux

Trzsz-go - A simple file transfer tools, similar to lrzsz ( rz / sz ), and compatible with tmux

Interactive cli tool for HTTP inspection
Interactive cli tool for HTTP inspection

Wuzz command line arguments are similar to cURL's arguments, so it can be used to inspect/modify requests copied from the browser's network inspector with the "copy as cURL" feature.

Elegant CLI wrapper for kubeseal CLI

Overview This is a wrapper CLI ofkubeseal CLI, specifically the raw mode. If you just need to encrypt your secret on RAW mode, this CLI will be the ea

Comments
  • Feature: set cookie for redirection

    Feature: set cookie for redirection

    https://cs.opensource.google/go/go/+/refs/tags/go1.17.7:src/net/http/request.go%3Bl=434 https://golang.hotexamples.com/examples/net.http/Response/Cookies/golang-response-cookies-method-examples.html And http.Response.Cookie()

    enhancement 
    opened by ariary 0
  • Feature: request in browser with cookie & headers

    Feature: request in browser with cookie & headers

    Propose a mechanism that enable -B option with cookie cause in certain case script,image are only available with specific cookie or others.

    Also, if we click on a link it will not proceed the request with original cookie.

    To make it works, use a proxy that will forward all request to the end server (with original Headers and same path) and then forward back the response.

    cf proxyHandler in cmd/httpclient/main.go

    enhancement 
    opened by ariary 0
  • Feature: request in browser

    Feature: request in browser

    Have a tool to perform request in browser

    cat raw | http2browser
    >>> url to paste in browsser
    

    Launch a local server. The server performs the request when reached and echo output

    Take into account that all href or redirection need to be be prefixed by the real url

    (maybe if path differs from /[random_number] you perform the request to the url with the same path)

    • Proxy to URL with headers
    • 1 first request with header meta modifying url
    enhancement 
    opened by ariary 0
  • Feature: follow code 302

    Feature: follow code 302

    With an option -L enable use to follow redirect

    • Find Location header (The address itself can be either absolute or relative)
    • Search for Set-Cookie header to perform the redirect request with

    by default perform request w/ same cookie

    Extra Notes

    https://everything.curl.dev/http/redirects

    example of response:

    HTTP/1.1 302 Found
    Location: /admin
    Set-Cookie: session=frferfreferqferferfgerfe; Secure; HttpOnly; SameSite=None
    Connection: close
    Content-Length: 0
    

    How to make Curl follow redirects? To follow redirect with Curl, use the -L or --location command-line option. This flag tells Curl to resend the request to the new address. When you send a POST request, and the server responds with one of the codes 301, 302, or 303, Curl will make the subsequent request using the GET method. For other 300x status codes, Curl will resend the subsequent request using the same unmodified HTTP method. This behavior can be changed using one of the --post301, --post302, or --post303 flags. When authentication is used, Curl only sends its credentials to the first host. If Curl goes to a different host when redirecting, it will not provide user credentials to the new host (you can change this behavior with the --location-trust flag). To limit the number of following redirects, you can use the --max-redirs command-line option.

    enhancement 
    opened by ariary 0
Releases(v2.0.2)
Owner
Ariary
Security Engineer naively hoping that his technical background will one day be more effective than social engineering
Ariary
A version bumper for homebrew formula and others

bumper (go-bumper) go-bumper is a golang CLI app to provide the formula versions bumping operation for Homebrew. We made Bumper because brew bump-form

hz 0 Dec 16, 2021
Soren L. Hansen 1.7k Jan 3, 2023
A personal collection of handy CLI tools

Toolkit A personal collection of handy CLI tools Installation 1.) Download and extract the ZIP package for the the latest release 2.) Copy the appropr

Luke Johnson 0 Nov 8, 2021
Various CLI tools in go

tools A collection of small command line utilities: hxd - a small hexdumper imgsize - show sizes of jpeg or png images kwed-dl - download latest track

Brian Schau 0 Dec 6, 2022
cli tools for list all pages in logseq repo, marked with public or private

logseq-pages A cli tool for list all pages in logseq repo, marked with public or private. When I using logseq to build my knowledge base and publish p

null 4 Dec 12, 2022
Go-ipfs-cmds - Cmds offers tools for describing and calling commands both locally and remotely

Go-ipfs-cmds - Cmds offers tools for describing and calling commands both locally and remotely

y 0 Jan 18, 2022
This CLI tool sends HTTP GET requests and print MD5 hash values of the response's body

HTTP Body Hash Generator This CLI (Command Line Interface) tool sends HTTP GET requests and print MD5 hash values of the response's body. Usage You ne

Uğur Kınık 0 Feb 10, 2022
Go-file-downloader-ftctl - A file downloader cli built using golang. Makes use of cobra for building the cli and go concurrent feature to download files.

ftctl This is a file downloader cli written in Golang which uses the concurrent feature of go to download files. The cli is built using cobra. How to

Dipto Chakrabarty 2 Jan 2, 2022
Go-api-cli - Small CLI to fetch data from an API sync and async

Async API Cli CLI to fetch data on "todos" from a given API in a number of ways.

Pete Robinson 0 Jan 13, 2022