Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read response from http2 or http3 #1074

Merged
merged 4 commits into from
Oct 9, 2021
Merged

Read response from http2 or http3 #1074

merged 4 commits into from
Oct 9, 2021

Conversation

nothinux
Copy link
Contributor

@nothinux nothinux commented Oct 2, 2021

Go http.ParseHTTPVersion() could not parse http version without minor version, like HTTP/2 or HTTP/3.
So in this PR, I add a minor version if the response doesn't include minor version in HTTP response.

this PR related to https://github.com/projectdiscovery/nuclei/issues/1067

@ehsandeep ehsandeep changed the base branch from master to dev October 2, 2021 12:08
ehsandeep
ehsandeep reviewed Oct 2, 2021
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @nothinux for creating PR for this bug, initial test shows the following error after the change.

echo test.txt | ./nuclei -passive

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.2

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.2 (latest)
[INF] Using Nuclei Templates 8.5.6 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 108
[INF] Templates loaded for scan: 558
[ERR] Could not dump raw http response test.txt: unexpected EOF
[ERR] Could not dump raw http response test.txt: unexpected EOF
[ERR] Could not dump raw http response test.txt: unexpected EOF
[ERR] Could not dump raw http response test.txt: unexpected EOF

@nothinux
Copy link
Contributor Author

nothinux commented Oct 2, 2021
edited
Loading

I think that issue because the Content-Length is wrong or broken, so its throw an unexpected EOF exception.

maybe you can test again with a different http response @ehsandeep

I have tested myself by getting a response from https://golang.org/doc/install, and test that response

$ curl -i https://golang.org/doc/install > golang-response.txt
$ echo golang-response.txt | ./nuclei -passive

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.2

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.2 (latest)
[INF] Using Nuclei Templates 8.5.6 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 2230
[INF] Templates loaded for scan: 558
[2021-10-02 22:09:47] [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:cross-origin-resource-policy] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:cross-origin-opener-policy] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:access-control-allow-credentials] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:access-control-expose-headers] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:x-frame-options] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:clear-site-data] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:x-content-type-options] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:referrer-policy] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:access-control-max-age] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:access-control-allow-methods] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:content-security-policy] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [http-missing-security-headers:access-control-allow-origin] [http] [info] golang-response.txt
[2021-10-02 22:09:47] [tech-detect:google-font-api] [http] [info] golang-response.txt

I also add new test, for testing live response.

i don't have an idea to handle situation when Content-Length is broken, any suggestion?

Thank you

@Ice3man543 Ice3man543 merged commit d788416 into projectdiscovery:dev Oct 9, 2021
@Ice3man543
Copy link
Member

Thanks for the PR @nothinux. Merging this now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehsandeep ehsandeep ehsandeep left review comments

@Ice3man543 Ice3man543 Awaiting requested review from Ice3man543

Assignees
No one assigned
Labels
hacktoberfest-accepted
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nothinux @Ice3man543 @ehsandeep