Repository: irsdl/httpninja
Branch: master
Commit: bddcd6e95089
Files: 17
Total size: 96.2 KB
Directory structure:
gitextract_ltas8x4h/
├── .github/
│ └── FUNDING.yml
├── Generic Codes/
│ └── web_request_socket.py
├── LICENSE
├── README.md
├── Results_v0.1.xlsx
├── Sample Pages/
│ ├── sample.asp
│ ├── sample.aspx
│ ├── sample.jsp
│ ├── sample.php
│ └── sample.py
└── Testing/
├── HTTPRequestHolder.py
├── box_definition.py
├── config.py
├── run.py
├── testcase_definition.py
├── testcase_mutation.py
└── web_request_socket.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/FUNDING.yml
================================================
# These are supported funding model platforms
github: irsdl # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
patreon: # Replace with a single Patreon username
open_collective: # Replace with a single Open Collective username
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
otechie: # Replace with a single Otechie username
lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
================================================
FILE: Generic Codes/web_request_socket.py
================================================
#!/usr/bin/python
import re
import socket
import urlparse
import ssl
import urllib
import time
# See HTTPPipelineTest() for a simple usage
# Example:
# RequestObject('POST', 'https://soroush.secproject.com/?q1=q2','var=val',{'cookie':'x=2;r=5','connection':'close','Content-Type': 'application/x-www-form-urlencoded'}, True)
class RequestObject(object):
url = ''
_path = ''
_CRLF = '\r\n'
qs = ''
cookie = ''
body = ''
headers = None
autoContentLength = True
autoHOSTHeader = True
useAbsolutePath = False
isSSL = False
HTTPVersion = ''
targetName = ''
targetPort = ''
targetProtocol = ''
# The class "constructor" - It's actually an initializer
def __init__(self, method='GET', url='', body='', headers={}, autoContentLength=True, autoHOSTHeader=True, useAbsolutePath=False, HTTPVersion='HTTP/1.1'):
self.method = method
self.url = url
self.body = body
self.headers = headers
self.autoContentLength = autoContentLength
self.autoHOSTHeader = autoHOSTHeader
self.useAbsolutePath = useAbsolutePath
self.HTTPVersion = HTTPVersion
self._setParams()
def _setParams(self):
parsedURL = urlparse.urlparse(self.url)
# setting the path
if self.useAbsolutePath == True:
self._path = self.url
else:
self._path = parsedURL.path
self.qs = parsedURL.query
if self._path == '':
self._path = '/'
# fix the body if it is in dict format
if isinstance(self.body,dict):
self.body = urllib.urlencode(self.body)
# set other necessary parameters
self.targetName = parsedURL.hostname
self.targetPort = parsedURL.port
self.targetProtocol = (parsedURL.scheme).lower()
if self.targetProtocol == 'https':
self.isSSL = True
if self.targetPort == None: self.targetPort = 443
elif self.targetPort == None:
self.targetPort = 80
def rawRequest(self):
self._setParams()
#building the raw request
queryString = ''
hostHeader = ''
contentLengthHeader = ''
incomingHeaders = ''
if self.autoHOSTHeader:
hostHeader = self._CRLF + "Host: " + self.targetName + self._CRLF
if self.headers != None and len(self.headers)>0:
for key, value in self.headers.iteritems():
incomingHeaders = incomingHeaders + str(key) + ": " + str(value) + self._CRLF
if incomingHeaders.endswith(self._CRLF):
incomingHeaders = incomingHeaders[:-2]
if self.autoContentLength:
contentLengthHeader = self._CRLF + "Content-Length: " + str(len(self.body))
if self.qs != '':
queryString = '?' + self.qs
httpdata = self.method + " " + self._path + queryString + " " + self.HTTPVersion + hostHeader + incomingHeaders + \
contentLengthHeader + self._CRLF + self._CRLF + self.body
return httpdata
def SendHTTPRequestBySocket(rawHTTPRequest = '', targetName='127.0.0.1', targetPort=80, isSSL = False, timeout=1,
includeTimeoutErr=False, isRateLimited=False, sendInitialChars=0, sendBodyCharRate=1, delayInBetween=0.2):
if len(rawHTTPRequest) == 0: return
# create an INET, STREAMing socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if isSSL:
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) # Perhaps this needs to be changed when other protocols should be used
s.settimeout(timeout)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.connect((targetName, targetPort))
# s.send(unicode(rawHTTPRequest, 'utf-8'))
if isRateLimited is False or sendBodyCharRate <= 0 or sendBodyCharRate <= 0 or delayInBetween < 0:
s.send(rawHTTPRequest)
else:
if sendInitialChars > 0:
s.send(rawHTTPRequest[:sendInitialChars])
rawHTTPRequest = rawHTTPRequest[sendInitialChars:]
for i in range(0, len(rawHTTPRequest), sendBodyCharRate):
time.sleep(delayInBetween)
s.send(rawHTTPRequest[i:i + sendBodyCharRate])
response = b''
while True:
try:
buf = s.recv(1024)
if not buf: break
response = response + buf
except socket.timeout, e:
err = e.args[0]
if err == 'timed out' and includeTimeoutErr:
if response != '':
response = response + '\nErr: last part was timed out'
else:
response = 'Err: timed out'
break
s.close()
return response
def RequestObjectsToHTTPPipeline(RequestObjects):
result = ''
if len(RequestObjects) <= 0: raise ValueError('less_than_two_elements_received_by_RequestObjectsToHTTPPipeline()')
CRLF = '\r\n'
mainTarget = ''
mainPort = ''
lastElement = True
for reqObjects in reversed(RequestObjects):
if mainTarget == '':
mainTarget = reqObjects.targetName
mainPort = reqObjects.targetPort
IsConnectionSet = False
if reqObjects.headers != None:
for key, value in reqObjects.headers.iteritems():
if re.search(r'(connection:\s*close)|(connection:\s*keep\-alive)', str(key) +":" + str(value),
flags=re.IGNORECASE) != None:
IsConnectionSet = True
reqObjects.headers[key] = 'keep-alive'
if IsConnectionSet == False:
if lastElement:
reqObjects.headers['Connection'] = 'close'
else:
reqObjects.headers['Connection'] = 'keep-alive'
lastElement = False
result = reqObjects.rawRequest() + CRLF + result
result = result + CRLF
#result = result + "GET /IDontExist HTTP/1.1" + CRLF + "Host: " + mainTarget + ":" + str(mainPort) +\
#CRLF + "connection: close" + CRLF + CRLF
return result
# TEST CODE #
def HTTPPipelineTest():
result = False
testReq1 = RequestObject('OPTIONS', 'https://0me.me/calc.php?a=2222&b=2','',
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Referer': 'https://www.google.com/',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-GB,en;q=0.5',
'Max-Forwards': '0',
'Connection': 'close'})
testReq2 = RequestObject('OPTIONS', 'https://0me.me/calc.php?a=3333&b=3','',
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Max-Forwards': '0','connection':'close'})
testRequests = [testReq1,testReq2]
pipelineResult = RequestObjectsToHTTPPipeline(testRequests)
#print pipelineResult
try:
reqResult = SendHTTPRequestBySocket(pipelineResult, testReq1.targetName, testReq1.targetPort, testReq1.isSSL, 20)
except:
reqResult = ''
#print reqResult
if reqResult.find('4444') > 0 and reqResult.find('9999') > 0:
result = True
return result
def AnotherPipelineExample():
req1 = RequestObject('GET', 'http://asitename.com:8080/sum.jsp?a=1&b=1&c=2&d=2')
req2 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=3&b=3', 'c=4&d=4',
{'Content-Type': 'application/x-www-form-urlencoded'}, autoContentLength=True,
HTTPVersion="HTTP/1.0")
req3 = RequestObject('POST', 'http://asitename.com:8080/sum.jsp?a=5&b=5', 'c=6&d=6',
{'Content-Type': 'application/x-www-form-urlencoded'}, autoContentLength=True)
joinedReqs = [req1, req2, req3]
pipelineResult = RequestObjectsToHTTPPipeline(joinedReqs)
print SendHTTPRequestBySocket(pipelineResult, req1.targetName, req1.targetPort)
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: README.md
================================================
# HTTP.ninja
Future of something cool; stay tuned!
Draft results: https://drive.google.com/file/d/0B5Tqp73kQStQU1diV1Y0dzd1QU0/view
It has now been uploaded here in [Results_v0.1.xlsx](Results_v0.1.xlsx) as apparently this is against Google Drive's policy to share useful security related documents with everyone.
================================================
FILE: Sample Pages/sample.asp
================================================
Test Page (at least vulnerable to xss - don't use on live)
<%
On Error Resume Next
Response.write("
GET input0:
")
Response.write("
input0="&(Request.querystring("input0"))&"
")
Response.write("Len(input0)="&Len(Request.querystring("input0"))&"
")
Response.write("LenB(input0)="&LenB(Request.querystring("input0"))&"
")
Response.write("
POST input1:
")
Response.write("
input1="&(Request.form("input1"))&"
")
Response.write("Len(input1)="&Len(Request.form("input1"))&"
")
Response.write("LenB(input1)="&LenB(Request.form("input1"))&"
")
Response.write("
COOKIE input2:
")
Response.write("
input2="&(Request.Cookies("input2"))&"
")
Response.write("Len(input2)="&Len(Request.Cookies("input2"))&"
")
Response.write("LenB(input2)="&LenB(Request.Cookies("input2"))&"
")
Response.write("
All GET:
")
For each item in request.querystring
Response.write("
" & item & "="&request.querystring(item)&"
")
Response.write("
")
Next
Response.write("
All POST:
")
For each item in request.form
Response.write("
" & item & "="&request.form(item)&"
")
Next
Response.write("
All COOKIES:
")
For each item in request.Cookies
Response.write("
" & item & "="&request.Cookies(item)&"
")
Response.write("
")
Next
Response.write("
Server Variables:
")
For each item in Request.ServerVariables
Response.write("
" & item & "="&Request.ServerVariables(item)&"
")
Response.write("
")
Next
Response.write("
generic parameter ( REQUEST(""input"") ) input:
")
Response.write("
input="&(Request("input"))&"
")
Response.write("Len(input)="&Len(Request("input"))&"
")
Response.write("LenB(input)="&LenB(Request("input"))&"
")
%>
================================================
FILE: Sample Pages/sample.aspx
================================================
Test Page (at least vulnerable to xss - don't use on live)
<%
On Error Resume Next
Response.write("
GET input0:
")
Response.write("
input0="&(Request.querystring("input0"))&"
")
Response.write("Len(input0)="&Len(Request.querystring("input0"))&"
")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input0)="&System.Text.Encoding.Unicode.GetByteCount(Request.querystring("input0"))&"
")
Response.write("
POST input1:
")
Response.write("
input1="&(Request.form("input1"))&"
")
Response.write("Len(input1)="&Len(Request.form("input1"))&"
")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input1)="&System.Text.Encoding.Unicode.GetByteCount(Request.form("input1"))&"
")
Response.write("
COOKIE input2:
")
Response.write("
input2="&(Request.Cookies("input2").Value)&"
")
Response.write("Len(input2)="&Len(Request.Cookies("input2").Value)&"
")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input2)="&System.Text.Encoding.Unicode.GetByteCount(Request.Cookies("input2").Value)&"
")
Response.write("
All GET:
")
For each item in request.querystring
Response.write("
" & item & "="&request.querystring(item)&"
")
Response.write("
")
Next
Response.write("
All POST:
")
For each item in request.form
Response.write("
" & item & "="&request.form(item)&"
")
Next
Response.write("
All COOKIES:
")
For each item in request.Cookies
Response.write("
" & item & "="&request.Cookies(item)&"
")
Response.write("
")
Next
Response.write("
Server Variables:
")
For each item in Request.ServerVariables
Response.write("
" & item & "="&Request.ServerVariables(item)&"
")
Response.write("
")
Next
Response.write("
generic parameter ( REQUEST(""input"") ) input:
")
Response.write("
input="&(Request("input"))&"
")
Response.write("Len(input)="&Len(Request("input"))&"
")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input)="&System.Text.Encoding.Unicode.GetByteCount(Request("input"))&"
")
%>
================================================
FILE: Sample Pages/sample.jsp
================================================
<%@page pageEncoding="utf-8"%>
<%@page import="java.util.*"%>
Test Page (at least vulnerable to xss - don't use on live)
<%
out.println("
Parameters:
");
Enumeration parameterList = request.getParameterNames();
while( parameterList.hasMoreElements())
{
String sName = parameterList.nextElement().toString();
String[] sMultiple = request.getParameterValues( sName );
if( 1 >= sMultiple.length ){
// parameter has a single value. print it.
out.println("
" + sName + "=" + request.getParameter( sName ) + "
");
out.println("-> Value Length: " + request.getParameter( sName ).length() +"
" );
out.println("-> Byte Value Length: " + request.getParameter( sName ).getBytes("UTF-8").length +"
" );
}else{
for( int i=0; i" + sName + "[" + i + "]=" + sMultiple[i] + "
" );
out.println("-> Value Length: " + sMultiple[i].length() +"
" );
out.println("-> Byte Value Length: " + sMultiple[i].getBytes("UTF-8").length +"
" );
}
}
}
out.println("
COOKIE input2:
");
Cookie cookie = null;
Cookie[] cookies = null;
cookies = request.getCookies();
if( cookies != null)
{
for (int i = 0; i < cookies.length; i++){
cookie = cookies[i];
if (cookie.getName().equals("input2"))
out.println("
input2="+cookie.getValue()+"
");
}
}
out.println("
");
out.println("
Headers:
");
java.util.Enumeration names=request.getHeaderNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
String value = request.getHeader(name);
out.println("
"+name + "=" + value+"
");
}
out.println("
");
out.println("
Servlet Equivalent of Standard CGI Variables:
");
%>
AUTH_TYPE: <%= request.getAuthType() %>
CONTENT_LENGTH: <%= request.getContentLength() %>
CONTENT_TYPE: <%= request.getContentType() %>
PATH_INFO: <%= request.getPathInfo() %>
PATH_TRANSLATED: <%= request.getPathTranslated() %>
QUERY_STRING: <%= request.getQueryString() %>
REMOTE_ADDR: <%= request.getRemoteAddr() %>
REMOTE_HOST: <%= request.getRemoteHost() %>
REMOTE_USER: <%= request.getRemoteUser() %>
REQUEST_METHOD: <%= request.getMethod() %>
SCRIPT_NAME: <%= request.getServletPath() %>
SERVER_NAME: <%= request.getServerName() %>
SERVER_PORT: <%= request.getServerPort() %>
SERVER_PROTOCOL: <%= request.getProtocol() %>
SERVER_SOFTWARE: <%= getServletContext().getServerInfo() %>
Request URI: <%= request.getRequestURI() %>
Request URL: <%= request.getRequestURL() %>
Request Context Path: <%= request.getContextPath() %>
Real Path: <%= getServletContext().getRealPath("/") %>
================================================
FILE: Sample Pages/sample.php
================================================
Test Page (at least vulnerable to xss - don't use on live)
GET input0:
";
echo "
input0=".($_GET["input0"])."
";
echo "strlen(input0)=".strlen($_GET["input0"])."
";
echo "mb_strlen(input0)=".mb_strlen($_GET["input0"], '8bit')."
";
echo "
POST input1:
";
echo "
input1=".($_POST["input1"])."
";
echo "strlen(input1)=".strlen($_POST["input1"])."
";
echo "mb_strlen(input1)=".mb_strlen($_POST["input1"], '8bit')."
";
echo "
COOKIE input2:
";
echo "
input2=".($_COOKIE["input2"])."
";
echo "strlen(input2)=".strlen($_COOKIE["input2"])."
";
echo "mb_strlen(input2)=".mb_strlen($_COOKIE["input2"], '8bit')."
";
?>
".$req_dump."";
echo "
generic parameter ( \$_REQUEST[\"input\"] ) input:
";
echo "
input=".($_REQUEST["input"])."
";
echo "strlen(input)=".strlen($_REQUEST["input"])."
";
echo "mb_strlen(input)=".mb_strlen($_REQUEST["input"], '8bit')."
";
?>
================================================
FILE: Sample Pages/sample.py
================================================
from django.http import HttpResponse
import re
import os
def index(request):
result = "Test Page (at least vulnerable to xss - don't use on live)
\n"
try:
result += "
GET input0:
"
result += "input0="+request.GET['input0']+"
"
result += "len(input0)="+str(len(request.GET['input0']))+"
"
result += "s.encode('utf-8')(input0)="+str(utf8len(request.GET['input0']))+"
"
except:
pass
try:
result += "
POST input1:
"
result += "input1="+request.POST['input1']+"
"
result += "len(input1)="+str(len(request.POST['input1']))+"
"
result += "s.encode('utf-8')(input1)="+str(utf8len(request.POST['input1']))+"
"
except:
pass
try:
result += "
COOKIE input2:
"
result += "input2="+request.COOKIES.get('input2')+"
"
result += "len(input2)="+str(len(request.COOKIES.get('input2')))+"
"
result += "s.encode('utf-8')(input2)="+str(utf8len(request.COOKIES.get('input2')))+"
"
except:
pass
result += "
\nGET:\n
"
for key, values in request.GET.lists():
result += key + "=" + ', '.join(values) + "
\n
"
result += "\n
POST:\n
"
for key, values in request.POST.lists():
result += key + "=" + ', '.join(values) + "
\n
"
result += "\n
HEADERS:\n
"
#regex_headers = re.compile(r'^(HTTP_.+|CONTENT_TYPE|CONTENT_LENGTH)$')
#request_headers = {}
for header in request.META:
#if regex_headers.match(header):
result += "{header}:{value}
\n
".format(header=header,value=request.META[header])
for key in os.environ.keys():
result = result + "%30s: %s
\n" % (key,os.environ[key])
return HttpResponse(result)
def utf8len(s):
return len(s.encode('utf-8'))
================================================
FILE: Testing/HTTPRequestHolder.py
================================================
class HTTPRequestHolder(object):
rawHTTPRequest = ''
additionalInfo = ''
# The class "constructor" - It's actually an initializer
def __init__(self, rawHTTPRequest='', additionalInfo=''):
self.rawHTTPRequest = rawHTTPRequest
self.additionalInfo = additionalInfo
================================================
FILE: Testing/box_definition.py
================================================
class BoxObject(object):
ip = ''
port = ''
path = ''
hostname = ''
isSSL = False
description = ''
isEnabled = True
# The class "constructor" - It's actually an initializer
def __init__(self, ip='127.0.0.1',port='',path='',hostname='',isSSL=False,description='',isEnabled=True):
self.ip = ip
self.port = port
self.path = path
self.hostname = hostname
self.isSSL = isSSL
self.description = description
self.isEnabled = isEnabled
self._setParams()
def _setParams(self):
if self.hostname == '':
self.hostname = self.ip
if self.port == '':
if self.isSSL:
self.port = '443'
else:
self.port = '80'
if self.path == '':
self.path = '/'
================================================
FILE: Testing/config.py
================================================
import box_definition
import testcase_definition
log_file = 'logs.txt'
result_file = 'results.txt'
timeout = 3
sniper_mode = False # This will only use the sniper_box settings
target_boxes = []
# we can have multiple targets
target_boxes.append(box_definition.BoxObject(ip='192.168.1.1',port='80',path='/sample.mypy',hostname='test.com',isSSL=False,description='Nginx-django-py3',isEnabled=False))
target_boxes.append(box_definition.BoxObject(ip='192.168.1.2',port='80',path='/sample.php',hostname='victim.com',isSSL=False,description='Apache-php5-mod_php behind WAF'))
target_boxes.append(box_definition.BoxObject(ip='192.168.1.3',port='80',path='/sample.jsp',hostname='',isSSL=False,description='Apache Tomcat7 Java 1.6 behind squid',isEnabled=True))
target_boxes.append(box_definition.BoxObject(ip='192.168.1.4',port='80',path='/sample.asp',hostname='',isSSL=False,description='IIS10-ASP Classic'))
target_boxes.append(box_definition.BoxObject(ip='192.168.1.5',port='80',path='/sample.aspx',hostname='',isSSL=False,description='IIS10-ASPX (v4.x)'))
# we can only have one sniper box
sniper_box = box_definition.BoxObject(ip='127.0.0.1',port='443',path='/specifictarget',hostname='mytest.com',isSSL=True,description='something')
templates = []
# we can have multiple templates
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test0 HTTP/1.1
HOST: $ip
Connection: Close
""", description='Normal GET', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Normal POST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST as GET', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""XXX $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='XXX as POST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""[]'{}$&*() $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='[]\'{}$&*() as POST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.1)-Multiple Content-Length - Wrong First', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Content-Length: 0
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.1)-Multiple Content-Length - Wrong Second', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.1)-No Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content_Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.1)-Content_Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.1)-Smaller Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.1)-Larger Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.0)-Multiple Content-Length - Wrong First', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Content-Length: 0
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.0)-Multiple Content-Length - Wrong Second', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.0)-No Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content_Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.0)-Content_Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.0)-Smaller Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST (HTTP/1.0)-Larger Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test31337 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test31337', description='GET (HTTP/1.0)-Multiple Content-Length - Wrong First', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test31337 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Content-Length: 0
Connection: Close
input1=test1337""", flagRegExStrInResponse='test31337', description='GET (HTTP/1.0)-Multiple Content-Length - Wrong Second', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test31337 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: Close
input1=test1337""", flagRegExStrInResponse='test31337', description='GET (HTTP/1.0)-Smaller Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test31337 HTTP/1.0
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Connection: Close
input1=test1337""", flagRegExStrInResponse='test31337', description='GET (HTTP/1.0)-Larger Content-Length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $ip
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Connection: Close
input1=test1337AAAAAAAAAA""", flagRegExStrInResponse='test1337', description='Content-Length with Slow Completion by Socket',
timeout=100, isRateLimited=True, sendInitialChars=145, sendBodyCharRate=1, delayInBetween=0.2, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Multiple HOST (both the same)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
HOST: foobar.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Multiple HOST (first one valid)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: foobar.com
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Multiple HOST (second one valid)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://foobar.com$path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Different invalid HOST Name in Path valid in header', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname$path?input0=test0 HTTP/1.1
HOST: foobar.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Different valid HOST Name in Path invalid in header', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: []'{}$&*() as HOST
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='[]\'{}$&*() as HOST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: {}'$&(^_-.`)#!~
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='{}\'$&(^_-.`)#!~ as HOST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: foobar.com@$hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='invalid@valid as HOST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://foobar.com@$hostname$path?input0=test0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='invalid@valid as HOST in PATH with no HOST - HTTP1.1', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://foobar.com@$hostname$path?input0=test0 HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='invalid@valid as HOST in PATH with no HOST - HTTP1.0', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST:
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='Empty HOST', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://invalid@$path?input0=test0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='invalid@empty as HOST in PATH with no HOST - HTTP1.1', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://invalid@$path?input0=test0 HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='invalid@empty as HOST in PATH with no HOST - HTTP1.0', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http$asciiChar://$hostname$path?input0=test0 HTTP/1.1
Host: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='http+asciiChar as protocol', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
Host: $hostname:45678
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='45678', description='HOST Port Manipulation in header', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname:45678$path?input0=test0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='45678', description='HOST Port Manipulation in path with no HOST header on HTTP/1.1', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname:45678$path?input0=test0 HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='45678', description='HOST Port Manipulation in path with no HOST header on HTTP/1.0', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname:45670$path?input0=test0 HTTP/1.1
Host: $hostname:45679
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='4567', description='HOST Port Manipulation in header and path', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET $path?input0=test1337
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1234""", flagRegExStrInResponse='test1337', description='GET with HTTP v0.9 with relative path', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1234""", flagRegExStrInResponse='test1337', description='GET with HTTP v0.9 with absolute path', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST with HTTP v0.9 with relative path', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname$path?input0=test0
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Connection: Close
input1=test1337""", flagRegExStrInResponse='test1337', description='POST with HTTP v0.9 with absolute path', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/0.123
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/0.123)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/1.10000000
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with GET with invalid HTTP version (HTTP/1.10000000)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/00000001.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/00000001.1)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/1.10
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/1.10)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/1.19
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/1.19)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/2.0
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/2.0)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/.9
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/.9)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/0.99
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/0.99)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP/9.9
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/9.9)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 HTTP${asciiChar}1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (HTTP/9.9)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 XXXX/0.123
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (XXXX/1.1)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""GET http://$hostname$path?input0=test1337000 XXXX
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337000', description='GET with invalid HTTP version (XXXX)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname$path?input0=test1337000 HTTP/0.9
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337111', description='POST with invalid HTTP version (HTTP/0.9)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://$hostname$path?input0=test1337000 XXXX
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337111', description='POST with invalid HTTP version (XXXX)', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test1337000 HTTP/1.1
HOST: $hostname$asciiChar
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337111', description='valid characters in host header', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test1337000 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Connection: Close
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337222', description='Additional character after final character (based on length) - connection: close', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test1337000 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Connection: keep-alive
input1=test1337111&input0=test1337222""", flagRegExStrInResponse='test1337222', description='Additional character after final character (based on length) - connection: keep-alive', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Cont${asciiChar}ent-Length: 15
Connection: close
input1=test1337""", flagRegExStrInResponse='test1337', description='Ignored characters in the middle of valid header names such as content-length', isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 1${asciiChar}5
Connection: close
input1=test1337""", flagRegExStrInResponse='test1337', description='Ignored characters in the middle of valid header names such as content-length', timeout=1, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
${asciiChar}Content-Length: 15
Connection: close
input1=test1337""", flagRegExStrInResponse='test1337', description='Valid characters before headers', timeout=1, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: application/x-www-form-urlencoded
Content-Length${asciiChar}: 15
Connection: close
input1=test1337""", flagRegExStrInResponse='test1337', description='Valid characters after headers before colon', timeout=1, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname${asciiChar}Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='test1337', description='Valid header separators', timeout=1, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15${asciiChar}
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='test1337', description='Valid characters after content-length values', timeout=1, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 17
Content-Type: application/x-www-form-urlencoded${asciiChar}
Connection: close
input1=test133%37""", flagRegExStrInResponse='input1=test1337', description='Valid characters after content-type values', timeout=1, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length:${asciiChar} 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Valid characters before headers values after colon before space in content-length', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type:${asciiChar} application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Valid characters before headers values after colon before space in content-type', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
TEST
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Empty header without colon', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: ${asciiChar}application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Valid characters before headers values after colon before space in content-type (POST)', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: appli${asciiChar}cation/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Valid characters in the middle of "application" in in "Content-Type: application/x-www-form-urlencoded"', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-fo${asciiChar}rm-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Valid characters in the middle of "form" in in "Content-Type: application/x-www-form-urlencoded"', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $filename${asciiChar}.$extension?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Ignored characters after file path before extension', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path${asciiChar}?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Ignored characters after file path', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST /${asciiChar}$filename.$extension?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Ignored characters before file path', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST %2F$path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Start path with %2F rather than /', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST /%2F/$path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Start path with /%2F/', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST /%2E/$path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='Start path with /%2E/', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST /$filename%u002e$extension?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input1=test1337', description='. character replacement before extension with %u002e', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: multipart/form-data; boundary=--------deilim123
Connection: close
Content-Length: 0
----------deilim123\r\nContent-Disposition: form-data; name="input1"\r\n\r\ntest1337\r\n----------deilim123--""",
flagRegExStrInResponse='input1=test1337', description='Converting "application/x-www-form-urlencoded" to "multipart/form-data" in normal POST (CR LF between multiparts)', timeout=10, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: multipart/form-data; boundary=--------deilim123
Connection: close
Content-Length: 0
----------deilim123\r\nContent-Disposition: form-data; name="input1"\r\n\r\ntest1337""",
flagRegExStrInResponse='>input1=test1337', description='Converting "application/x-www-form-urlencoded" to "multipart/form-data" in normal POST (CR LF between multiparts) - Missing last boundary', timeout=10, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: multipart/form-data; boundary=--------deilim123
Connection: close
Content-Length: 0
----------deilim123\nContent-Disposition: form-data; name="input1"\n\ntest1337\n----------deilim123--""",
flagRegExStrInResponse='input1=test1337', description='Converting "application/x-www-form-urlencoded" to "multipart/form-data" in normal POST (LF between multiparts)', timeout=10, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: multipart/form-data; boundary=--------deilim123
Connection: close
Content-Length: 0
----------deilim123\r\nContent-Disposition: name="input1"\r\n\r\ntest1337\r\n----------deilim123--""",
flagRegExStrInResponse='>input1=test1337', description='"multipart/form-data" in normal POST (CR LF between multiparts) - Missing form-data in Content-Disposition', timeout=10, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: multipart/form-data; boundary=--------deilim123
Connection: close
Content-Length: 0
----------deilim123Content-Disposition: form-data; name="input1"\r\n\r\ntest1337\r\n----------deilim123--""",
flagRegExStrInResponse='>input1=test1337', description='"multipart/form-data" in normal POST (CR LF between multiparts) - No character between Content-Disposition and the boundary', timeout=10, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Type: multipart/form-data; boundary=--------deilim123
Connection: close
Content-Length: 0
----------deilim123\r\nContent-Disposition: name="input1"; form-data;\r\n\r\ntest1337\r\n----------deilim123--""",
flagRegExStrInResponse='>input1=test1337', description='"multipart/form-data" in normal POST (CR LF between multiparts) - name before form-data in Content-Disposition', timeout=10, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=testGET HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
COOKIE: input0=testCOOKIE
input0: testHEADER
Connection: close
input0=testPOST""", flagRegExStrInResponse='input0=', description='One parameter in GET/POST/COOKIES/HEADER - reading GET', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input1=testGET HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
COOKIE: input1=testCOOKIE
input1: testHEADER
Connection: close
input1=testPOST""", flagRegExStrInResponse='input1=', description='One parameter in GET/POST/COOKIES/HEADER - reading POST', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test111&input0=test222&input0=test333 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input0=', description='Multiple GET Parameters with the same name', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test111&input1=test222&input1=test333""", flagRegExStrInResponse='input0=', description='Multiple POST Parameters with the same name', timeout=3, autoContentLength=True, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test0 HTTP/1.1
HOST: $hostname
Content-Length: 15
Cookie: input2=test111;input2=test222;input2=test333;
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1337""", flagRegExStrInResponse='input2=', description='Multiple Cookie Parameters with the same name', timeout=3, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0${asciiChar}=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='input0=test1337', description='Ignored characters after parameter name (GET) - before = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0%${asciiHex}=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='input0=test1337', description='Ignored url-encoded characters after parameter name (GET) - before = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?${asciiChar}input0=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='[^>]>input0=test1337', description='Ignored characters before parameter name (GET) - before = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?%${asciiHex}input0=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='[^>]>input0=test1337', description='Ignored url-encoded characters before parameter name (GET) - before = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?inp${asciiChar}ut0=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='input0=test1337', description='Ignored characters in the middle of parameter name (GET) - before = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?inp%${asciiHex}ut0=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='input0=test1337', description='Ignored url-encoded characters in the middle of parameter name (GET) - before = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: foo=bar${asciiChar}input2=test1337;
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337', description='; character replacement in Cookie', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: input2${asciiChar}test1337;
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337', description='; character replacement in Cookie', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: inp${asciiChar}ut2=test1337;
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337', description='Ignored characters in Cookie name', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: input2=test${asciiChar}1337;
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337', description='Ignored characters in Cookie value', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?foo=bar${asciiChar}input0=test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337', description='& character replacement in GET', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?foo=bar%${asciiHex}input0=test HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337', description='& character replacement in GET (url-encoded)', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0${asciiChar}test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337', description='= character replacement in GET', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0%${asciiHex}test HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337', description='= character replacement in GET (url-encoded)', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test1337${asciiChar} HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337<[^<\s]', description='Ignored characters after parameter value (GET)', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test1337%${asciiHex} HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337<[^<\s]', description='Ignored url-encoded characters after parameter value (GET)', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=${asciiChar}test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337<[^<\s]', description='Ignored characters before parameter value (GET) - after = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=%${asciiHex}test1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337<[^<\s]', description='Ignored url-encoded characters before parameter value (GET) - after = sign', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test${asciiChar}1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337<[^<\s]', description='Ignored characters in the middle of parameter value (GET)', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test%${asciiHex}1337 HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input0=test1337<[^<\s]', description='Ignored url-encoded characters in the middle of parameter value (GET)', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=1 HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: inpu%742=test1337
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337<[^<\s]', description='URL Encoding in Cookie parameter name', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=1 HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: input2=tes%741337
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337<[^<\s]', description='URL Encoding in Cookie parameter value', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=1 HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: inpu%u00742=test1337
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337<[^<\s]', description='utf-8 Encoding (%uHHHH) in Cookie parameter name', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=1 HTTP/1.1
HOST: $hostname
Content-Length: 12
Cookie: input2=tes%u00741337
Content-Type: application/x-www-form-urlencoded
Connection: close
input1=test1""", flagRegExStrInResponse='>input2=test1337<[^<\s]', description='utf-8 Encoding (%uHHHH) in Cookie parameter value', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=1 HTTP/1.1
HOST: $hostname
Content-Length: 15
Content-Type: application/x-www-form-urlencoded; charset=${charset}
Connection: close
input1=test1337""", flagRegExStrInResponse='(^i|>i)nput1=test1337<[^<\s]', inverseFlag=True, description='utf-8 Encoding (%uHHHH) in Cookie parameter value', timeout=5, isEnabled=False))
# perhaps for sniper use
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST $path?input0=test HTTP/1.1
HOST: $hostname
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
Cookie: input2${asciiChar}=test2
Connection: close
input1=test1""", selectRegExFromRequest='input2([^=]|=)', flagRegExStrInResponse='\[{selected_response}\]',
inverseFlag=True, description='Normal ASCII character conversion in GET (URL) paramater name', timeout=5, isEnabled=False))
templates.append(testcase_definition.TestcaseObject(rawTemplate=
"""POST http://0me.me/calc.php?a=2222&b=2 HTTP/1.0
Host: 0me.me
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
c=3333&d=3POST http://0me.me/calc.php?a=1111&b=1 HTTP/1.1
Host: 0me.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
c=7&d=191""", flagRegExStrInResponse='test1337', description='Sniper Related - HTTP Pipelining, 1 character every 200 milisec',
timeout=100, isRateLimited=False, sendInitialChars=1, sendBodyCharRate=1, delayInBetween=0.2, isEnabled=False))
================================================
FILE: Testing/run.py
================================================
import config
import web_request_socket
from datetime import datetime
import codecs
import re
import testcase_mutation
import HTTPRequestHolder
import uuid
def logThis(message,type='log'):
if type=='log':
message = u"{delim}{time}{delim} {message}".format(delim="~"*30, time=datetime.now(),message=unicode(message, errors='ignore'))
log_file = config.log_file
print message
else:
log_file = config.result_file
with codecs.open(log_file, "a","utf-8") as myfile:
myfile.write(message+'\n')
def runTestcaseOnTarget(req_template,target_BoxObject):
HTTPRequestHolderObjs = []
initHTTPRequest = req_template.ReqBuilder(target_BoxObject)
HTTPRequestHolderObjs.append(HTTPRequestHolder.HTTPRequestHolder(initHTTPRequest))
if '$asciiChar' in initHTTPRequest or '${asciiChar}' in initHTTPRequest:
HTTPRequestHolderObjs = testcase_mutation.asciiChar(HTTPRequestHolderObjs)
if '$asciiHex' in initHTTPRequest or '${asciiHex}' in initHTTPRequest:
HTTPRequestHolderObjs = testcase_mutation.asciiHex(HTTPRequestHolderObjs)
if '$charset' in initHTTPRequest or '${charset}' in initHTTPRequest:
HTTPRequestHolderObjs = testcase_mutation.encodingList(HTTPRequestHolderObjs)
for HTTPRequestHolderObj in HTTPRequestHolderObjs:
testUUID = str(uuid.uuid4())
rawHTTPRequest = HTTPRequestHolderObj.rawHTTPRequest
additionalInfo = HTTPRequestHolderObj.additionalInfo
logThis("\n==Request to {ip} ({msgDesc}) - Template: {tempDesc} - TestID: {testID} - Additional Info:[{info}]==\n{message}".format(ip=target_BoxObject.ip,
msgDesc=target_BoxObject.description,
tempDesc=req_template.description,
testID=testUUID,
info=additionalInfo,
message=rawHTTPRequest),'log')
timeout = config.timeout
if req_template.timeout > 0:
timeout = req_template.timeout
result = web_request_socket.SendHTTPRequestBySocket(rawHTTPRequest=rawHTTPRequest,
targetName=target_BoxObject.ip,
targetPort=int(target_BoxObject.port),
isSSL=target_BoxObject.isSSL,
timeout=timeout,
includeTimeoutErr=False,
isRateLimited=req_template.isRateLimited,
sendInitialChars=req_template.sendInitialChars,
sendBodyCharRate=req_template.sendBodyCharRate,
delayInBetween=req_template.delayInBetween)
statusCode = 'Unknown (HTTP v0.9?)'
try:
statusCode = re.search('HTTP/\d\.\d\s(\d+)', result).group(1)
except:
pass
flagInResponseStringResult = ''
if req_template.flagRegExStrInResponse != '':
searchForRegexInResponse = req_template.flagRegExStrInResponse
if req_template.selectRegExFromRequest != '' and '{selected_response}' in searchForRegexInResponse:
requestPatternMatch = re.search(req_template.selectRegExFromRequest,rawHTTPRequest,re.MULTILINE)
if requestPatternMatch is not None:
selected_response = re.escape(requestPatternMatch.group(0))
print selected_response
searchForRegexInResponse = searchForRegexInResponse.format(selected_response=selected_response)
flagInResponseStringResult = ' - Flag ({flag}) result: '.format(flag=searchForRegexInResponse)
searchForPattern = re.compile(searchForRegexInResponse)
if (searchForPattern.search(result,re.MULTILINE) and not req_template.inverseFlag) or (not searchForPattern.search(result,re.MULTILINE) and req_template.inverseFlag):
flagInResponseStringResult = flagInResponseStringResult + 'Flagged!'
logThis("Success: [{tempDesc}] from [{ip}] ([{msgDesc}]) - Status code: [{statusCode}] - TestID: {testID} - Additional Info:[{info}]\n\n".format(
ip=target_BoxObject.ip,
msgDesc=target_BoxObject.description,
tempDesc=req_template.description,
statusCode=statusCode,
testID=testUUID,
info=additionalInfo), 'result')
else:
flagInResponseStringResult = flagInResponseStringResult + 'NotFlagged!'
logThis("\n==Response from {ip} ({msgDesc}) - Template: {tempDesc}{flagInResponse} - TestID: {testID} - Additional Info:[{info}]==\n{message}".format(
ip=target_BoxObject.ip,
msgDesc=target_BoxObject.description,
tempDesc=req_template.description,
flagInResponse=flagInResponseStringResult,
testID=testUUID,
info=additionalInfo,
message=result),'log')
if __name__=='__main__':
for req_template in config.templates:
if req_template.isEnabled:
if config.sniper_mode is False:
for target_BoxObject in config.target_boxes:
if target_BoxObject.isEnabled:
runTestcaseOnTarget(req_template, target_BoxObject)
else:
runTestcaseOnTarget(req_template, config.sniper_box)
================================================
FILE: Testing/testcase_definition.py
================================================
from string import Template
import os
import re
class TestcaseObject(object):
_rawTemplate = ''
templateRequest = Template('')
selectRegExFromRequest = ''
flagRegExStrInResponse = ''
inverseFlag = False
description = ''
timeout = 0
isEnabled = True
isRateLimited = False
sendInitialChars = 0
sendBodyCharRate = 1
delayInBetween = 0
autoContentLength = False
# The class "constructor" - It's actually an initializer
def __init__(self, rawTemplate='',selectRegExFromRequest='',flagRegExStrInResponse='', inverseFlag=False,description='' ,isEnabled=True,timeout=0,
isRateLimited=False, sendInitialChars=0, sendBodyCharRate=1, delayInBetween=0, autoContentLength=False):
self._rawTemplate = rawTemplate
self.selectRegExFromRequest = selectRegExFromRequest
self.flagRegExStrInResponse = flagRegExStrInResponse
self.inverseFlag = inverseFlag
self.description = description
self.isEnabled = isEnabled
self.timeout = timeout
self.isRateLimited = isRateLimited
self.sendInitialChars = sendInitialChars
self.sendBodyCharRate = sendBodyCharRate
self.delayInBetween = delayInBetween
self.autoContentLength = autoContentLength
self._setParams()
def _setParams(self):
self.templateRequest = Template(self._rawTemplate)
def ReqBuilder(self, target_BoxObject):
filename, extension = os.path.splitext(target_BoxObject.path)
extension = extension[1:] # removing the dot character before the extension
result = self.templateRequest.safe_substitute(ip=target_BoxObject.ip,
port=target_BoxObject.port,
path=target_BoxObject.path,
filename=filename,
extension=extension,
hostname=target_BoxObject.hostname,
description=target_BoxObject.description)
if self.autoContentLength:
bodylength = len(result) - re.search("(\r\n\r\n)|(\n\n)", result).end()
if re.search("content\\-length", result, re.IGNORECASE):
result = re.sub(r"(?i)content\-length:\s*\d+", "Content-Length: " + str(bodylength),
result, 1)
else:
result = re.sub(r"(\r\n\r\n)|(\n\n)", "\r\nContent-Length: " + str(bodylength) + "\r\n\r\n",
result, 1)
return result
================================================
FILE: Testing/testcase_mutation.py
================================================
from string import Template
import HTTPRequestHolder
import codecs
import binascii
def int2bytes(i):
hex_string = '%x' % i
n = len(hex_string)
return binascii.unhexlify(hex_string.zfill(n + (n & 1)))
def asciiChar(HTTPRequestHolderObjs):
result = []
for HTTPRequestHolderObj in HTTPRequestHolderObjs:
initHTTPReq = HTTPRequestHolderObj.rawHTTPRequest
initAdditionalInfo = HTTPRequestHolderObj.additionalInfo
for c in range(0, 256):
asciiChar = chr(c)
additionalInfo = 'ASCII [Code: {} - Char: {}]'.format(c, codecs.escape_encode(asciiChar))
if initAdditionalInfo != '':
additionalInfo = initAdditionalInfo + ' - ' + additionalInfo
HTTPRequestHolderObjTemp = HTTPRequestHolder.HTTPRequestHolder(Template(initHTTPReq).safe_substitute(asciiChar=asciiChar),additionalInfo)
result.append(HTTPRequestHolderObjTemp)
return result
def asciiHex(HTTPRequestHolderObjs):
result = []
for HTTPRequestHolderObj in HTTPRequestHolderObjs:
initHTTPReq = HTTPRequestHolderObj.rawHTTPRequest
initAdditionalInfo = HTTPRequestHolderObj.additionalInfo
for c in range(0, 256):
asciiChar = chr(c)
asciiHex = "{:02x}".format(c)
additionalInfo = 'ASCII [Code: {} - Char: {} - Hex: {}]'.format(c, codecs.escape_encode(asciiChar), asciiHex)
if initAdditionalInfo != '':
additionalInfo = initAdditionalInfo + ' - ' + additionalInfo
HTTPRequestHolderObjTemp = HTTPRequestHolder.HTTPRequestHolder(Template(initHTTPReq).safe_substitute(asciiHex=asciiHex),additionalInfo)
result.append(HTTPRequestHolderObjTemp)
return result
def unicodeChar(HTTPRequestHolderObjs):
result = []
for HTTPRequestHolderObj in HTTPRequestHolderObjs:
initHTTPReq = HTTPRequestHolderObj.rawHTTPRequest
initAdditionalInfo = HTTPRequestHolderObj.additionalInfo
for u in range(0, 65535):
unicodeChar = int2bytes(u)
additionalInfo = 'UNICODE [Code: {} - Char: {}]'.format(u, codecs.escape_encode(unicodeChar))
if initAdditionalInfo != '':
additionalInfo = initAdditionalInfo + ' - ' + additionalInfo
HTTPRequestHolderObjTemp = HTTPRequestHolder.HTTPRequestHolder(Template(initHTTPReq).safe_substitute(asciiChar=asciiChar),additionalInfo)
result.append(HTTPRequestHolderObjTemp)
return result
def encodingList(HTTPRequestHolderObjs):
result = []
charList = "IBM037,IBM437,IBM500,ASMO-708,DOS-720,ibm737,ibm775,ibm850,ibm852,IBM855,ibm857,IBM00858,IBM860,ibm861,DOS-862,IBM863,IBM864,IBM865,cp866,ibm869,IBM870,windows-874,cp875,shift_jis,gb2312,ks_c_5601-1987,big5,IBM1026,IBM01047,IBM01140,IBM01141,IBM01142,IBM01143,IBM01144,IBM01145,IBM01146,IBM01147,IBM01148,IBM01149,utf-16,unicodeFFFE,windows-1250,windows-1251,Windows-1252,windows-1253,windows-1254,windows-1255,windows-1256,windows-1257,windows-1258,Johab,macintosh,x-mac-japanese,x-mac-chinesetrad,x-mac-korean,x-mac-arabic,x-mac-hebrew,x-mac-greek,x-mac-cyrillic,x-mac-chinesesimp,x-mac-romanian,x-mac-ukrainian,x-mac-thai,x-mac-ce,x-mac-icelandic,x-mac-turkish,x-mac-croatian,utf-32,utf-32BE,x-Chinese-CNS,x-cp20001,x-Chinese-Eten,x-cp20003,x-cp20004,x-cp20005,x-IA5,x-IA5-German,x-IA5-Swedish,x-IA5-Norwegian,us-ascii,x-cp20261,x-cp20269,IBM273,IBM277,IBM278,IBM280,IBM284,IBM285,IBM290,IBM297,IBM420,IBM423,IBM424,x-EBCDIC-KoreanExtended,IBM-Thai,koi8-r,IBM871,IBM880,IBM905,IBM00924,EUC-JP,x-cp20936,x-cp20949,cp1025,koi8-u,iso-8859-1,iso-8859-2,iso-8859-3,iso-8859-4,iso-8859-5,iso-8859-6,iso-8859-7,iso-8859-8,iso-8859-9,iso-8859-13,iso-8859-15,x-Europa,iso-8859-8-i,iso-2022-jp,csISO2022JP,iso-2022-jp,iso-2022-kr,x-cp50227,euc-jp,EUC-CN,euc-kr,hz-gb-2312,GB18030,x-iscii-de,x-iscii-be,x-iscii-ta,x-iscii-te,x-iscii-as,x-iscii-or,x-iscii-ka,x-iscii-ma,x-iscii-gu,x-iscii-pa,utf-7,utf-8"
charList = charList.split(",")
for HTTPRequestHolderObj in HTTPRequestHolderObjs:
initHTTPReq = HTTPRequestHolderObj.rawHTTPRequest
initAdditionalInfo = HTTPRequestHolderObj.additionalInfo
for charset in charList:
additionalInfo = 'UNICODE [Charset: {}]'.format(charset)
if initAdditionalInfo != '':
additionalInfo = initAdditionalInfo + ' - ' + additionalInfo
HTTPRequestHolderObjTemp = HTTPRequestHolder.HTTPRequestHolder(Template(initHTTPReq).safe_substitute(charset=charset),additionalInfo)
result.append(HTTPRequestHolderObjTemp)
return result
================================================
FILE: Testing/web_request_socket.py
================================================
#!/usr/bin/python
import re
import socket
import urlparse
import ssl
import urllib
import time
# See HTTPPipelineTest() for a simple usage
# Example:
# RequestObject('POST', 'https://soroush.secproject.com/?q1=q2','var=val',{'cookie':'x=2;r=5','connection':'close','Content-Type': 'application/x-www-form-urlencoded'}, True)
class RequestObject(object):
url = ''
_path = ''
_CRLF = '\r\n'
qs = ''
cookie = ''
body = ''
headers = None
autoContentLength = True
autoHOSTHeader = True
useAbsolutePath = False
isSSL = False
HTTPVersion = ''
targetName = ''
targetPort = ''
targetProtocol = ''
# The class "constructor" - It's actually an initializer
def __init__(self, method='GET', url='', body='', headers=None, autoContentLength=True, autoHOSTHeader=True, useAbsolutePath=False, HTTPVersion='HTTP/1.1'):
self.method = method
self.url = url
self.body = body
self.headers = headers
self.autoContentLength = autoContentLength
self.autoHOSTHeader = autoHOSTHeader
self.useAbsolutePath = useAbsolutePath
self.HTTPVersion = HTTPVersion
self._setParams()
def _setParams(self):
parsedURL = urlparse.urlparse(self.url)
# setting the path
if self.useAbsolutePath == True:
self._path = self.url
else:
self._path = parsedURL.path
self.qs = parsedURL.query
if self._path == '':
self._path = '/'
# fix the body if it is in dict format
if isinstance(self.body,dict):
self.body = urllib.urlencode(self.body)
# set other necessary parameters
self.targetName = parsedURL.netloc
self.targetPort = parsedURL.port
self.targetProtocol = (parsedURL.scheme).lower()
if self.targetProtocol == 'https':
self.isSSL = True
if self.targetPort == None: self.targetPort = 443
elif self.targetPort == None:
self.targetPort = 80
def rawRequest(self):
self._setParams()
#building the raw request
queryString = ''
hostHeader = ''
contentLengthHeader = ''
incomingHeaders = ''
if self.autoHOSTHeader:
hostHeader = self._CRLF + "Host: " + self.targetName + self._CRLF
if self.headers != None:
for key, value in self.headers.iteritems():
incomingHeaders = incomingHeaders + str(key) + ": " + str(value) + self._CRLF
if incomingHeaders.endswith(self._CRLF):
incomingHeaders = incomingHeaders[:-2]
if self.autoContentLength:
contentLengthHeader = self._CRLF + "Content-Length: " + str(len(self.body))
if self.qs != '':
queryString = '?' + self.qs
httpdata = self.method + " " + self._path + queryString + " " + self.HTTPVersion + hostHeader + incomingHeaders + \
contentLengthHeader + self._CRLF + self._CRLF + self.body
return httpdata
def SendHTTPRequestBySocket(rawHTTPRequest = '', targetName='127.0.0.1', targetPort=80, isSSL = False, timeout=1,
includeTimeoutErr=False, isRateLimited=False, sendInitialChars=0, sendBodyCharRate=1, delayInBetween=0.2):
if len(rawHTTPRequest) == 0: return
# create an INET, STREAMing socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if isSSL:
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) # Perhaps this needs to be changed when other protocols should be used
s.settimeout(timeout)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.connect((targetName, targetPort))
# s.send(unicode(rawHTTPRequest, 'utf-8'))
if isRateLimited is False or sendBodyCharRate <= 0 or sendBodyCharRate <= 0 or delayInBetween < 0:
s.send(rawHTTPRequest)
else:
if sendInitialChars > 0:
s.send(rawHTTPRequest[:sendInitialChars])
rawHTTPRequest = rawHTTPRequest[sendInitialChars:]
for i in range(0, len(rawHTTPRequest), sendBodyCharRate):
time.sleep(delayInBetween)
s.send(rawHTTPRequest[i:i + sendBodyCharRate])
response = b''
while True:
try:
buf = s.recv(1024)
if not buf: break
response = response + buf
except socket.timeout, e:
err = e.args[0]
if err == 'timed out' and includeTimeoutErr:
if response != '':
response = response + '\nErr: last part was timed out'
else:
response = 'Err: timed out'
break
s.close()
return response
def RequestObjectsToHTTPPipeline(RequestObjects):
result = ''
if len(RequestObjects) <= 0: raise ValueError('less_than_two_elements_received_by_RequestObjectsToHTTPPipeline()')
CRLF = '\r\n'
mainTarget = ''
mainPort = ''
lastElement = True
for reqObjects in reversed(RequestObjects):
if mainTarget == '':
mainTarget = reqObjects.targetName
mainPort = reqObjects.targetPort
IsConnectionSet = False
if reqObjects.headers != None:
for key, value in reqObjects.headers.iteritems():
if re.search(r'(connection:\s*close)|(connection:\s*keep\-alive)', str(key) +":" + str(value),
flags=re.IGNORECASE) != None:
IsConnectionSet = True
reqObjects.headers[key] = 'keep-alive'
if IsConnectionSet == False:
if lastElement:
reqObjects.headers['Connection'] = 'close'
else:
reqObjects.headers['Connection'] = 'keep-alive'
lastElement = False
result = reqObjects.rawRequest() + CRLF + result
result = result + CRLF
#result = result + "GET /IDontExist HTTP/1.1" + CRLF + "Host: " + mainTarget + ":" + str(mainPort) +\
#CRLF + "connection: close" + CRLF + CRLF
return result
def HTTPPipelineTest():
result = False
testReq1 = RequestObject('OPTIONS', 'https://0me.me/calc.php?a=2222&b=2','',
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Referer': 'https://www.google.com/',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-GB,en;q=0.5',
'Max-Forwards': '0',
'Connection': 'close'})
testReq2 = RequestObject('OPTIONS', 'https://0me.me/calc.php?a=3333&b=3','',
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Max-Forwards': '0','connection':'close'})
testRequests = [testReq1,testReq2]
pipelineResult = RequestObjectsToHTTPPipeline(testRequests)
#print pipelineResult
try:
reqResult = SendHTTPRequestBySocket(pipelineResult, testReq1.targetName, testReq1.targetPort, testReq1.isSSL, 20)
#reqResult = SendHTTPRequestBySocket(pipelineResult, 'localhost', 8081, False, 5)
except:
reqResult = ''
#print reqResult
if reqResult.find('4444') > 0 and reqResult.find('9999') > 0:
result = True
return result