HTTP Request Smuggling Detection Tool

Overview

HTTP Request Smuggling Detection Tool

HTTP request smuggling is a high severity vulnerability which is a technique where an attacker smuggles an ambiguous HTTP request to bypass security controls and gain unauthorized access to performs malicious activities, the vulnerability was discovered back in 2005 by watchfire and later in August 2019 it re-discovered by James Kettle - (albinowax) and presented at DEF CON 27 and Black-Hat USA, to know more about this vulnerability you can refer his well-documented research blogs at Portswigger website. So the idea behind this security tool is to detect HRS vulnerability for a given host and the detection happens based on the time delay technique with the given permutes, so to know more about this tool I'll highly encourage you to read my blog post about this tool.

Technical Overview

The tool is written using python and to use this tool you must have python version 3.x installed in your local machine. It takes the input of either one URL or list of URLs which you need to provide in a text file and by following the HRS vulnerability detection technique the tool has built-in payloads which has around 37 permutes and detection payloads for both CL.TE and TE.CL and for every given host it will generate the attack request object by using these payloads and calculates the elapsed time after receiving the response for each request and decides the vulnerability but most of the time chances are it can be false positive, so to confirm the vulnerability you can use burp-suite turbo intruder and try your payloads.

Security Consent

It's quite important to know some of the legal disclaimers before scanning any of the targets, you should have proper authorization before scanning any of the targets otherwise I suggest do not use this tool to scan an unauthorized target because to detect the vulnerability it sends multiple payloads for multiple times by using (--retry) option which means if something goes wrong then there is a possibility that backend socket might get poisoned with the payloads and any genuine visitors of that particular website might end up seeing the poisoned payload rather seeing the actual content of the website. So I'll highly suggest taking proper precautions before scanning any of the target website otherwise you will face some legal issue.

Installation

git clone https://github.com/anshumanpattnaik/http-request-smuggling.git
cd http-request-smuggling
pip3 install -r requirements.txt

Options

usage: smuggle.py [-h] [-u URL] [-urls URLS] [-t TIMEOUT] [-m METHOD]
                    [-r RETRY]

HTTP Request Smuggling vulnerability detection tool

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     set the target url
  -urls URLS, --urls URLS
                        set list of target urls, i.e (urls.txt)
  -t TIMEOUT, --timeout TIMEOUT
                        set socket timeout, default - 10
  -m METHOD, --method METHOD
                        set HTTP Methods, i.e (GET or POST), default - POST
  -r RETRY, --retry RETRY
                        set the retry count to re-execute the payload, default
                        - 2

Scan one Url

python3 smuggle.py -u 

Scan list of Urls

python3 smuggle.py -urls 

Important

If you feel the detection payload needs to change to make it more accurate then you can update the payload in payloads.json file of detection array.

"detection": [
	{
		"type": "CL.TE",
		"payload": "\r\n1\r\nZ\r\nQ\r\n\r\n",
		"content_length": 5
	},
	{
		"type": "TE.CL",
		"payload": "\r\n0\r\n\r\n\r\nG",
		"content_length": 6
	}
]

License

This project is licensed under the MIT License

You might also like...
As easy as /aitch-tee-tee-pie/ 🥧 Modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more. https://twitter.com/httpie
As easy as /aitch-tee-tee-pie/ 🥧 Modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more. https://twitter.com/httpie

HTTPie: human-friendly CLI HTTP client for the API era HTTPie (pronounced aitch-tee-tee-pie) is a command-line HTTP client. Its goal is to make CLI in

A minimal HTTP client. ⚙️

HTTP Core Do one thing, and do it well. The HTTP Core package provides a minimal low-level HTTP client, which does one thing only. Sending HTTP reques

Asynchronous Python HTTP Requests for Humans using Futures

Asynchronous Python HTTP Requests for Humans Small add-on for the python requests http library. Makes use of python 3.2's concurrent.futures or the ba

Fast HTTP parser

httptools is a Python binding for the nodejs HTTP parser. The package is available on PyPI: pip install httptools. APIs httptools contains two classes

HTTP/2 for Python.
HTTP/2 for Python.

Hyper: HTTP/2 Client for Python This project is no longer maintained! Please use an alternative, such as HTTPX or others. We will not publish further

An interactive command-line HTTP and API testing client built on top of HTTPie featuring autocomplete, syntax highlighting, and more. https://twitter.com/httpie
An interactive command-line HTTP and API testing client built on top of HTTPie featuring autocomplete, syntax highlighting, and more. https://twitter.com/httpie

HTTP Prompt HTTP Prompt is an interactive command-line HTTP client featuring autocomplete and syntax highlighting, built on HTTPie and prompt_toolkit.

Probe and discover HTTP pathname using brute-force methodology and filtered by specific word or 2 words at once
Probe and discover HTTP pathname using brute-force methodology and filtered by specific word or 2 words at once

pathprober Probe and discover HTTP pathname using brute-force methodology and filtered by specific word or 2 words at once. Purpose Brute-forcing webs

🔄 🌐 Handle thousands of HTTP requests, disk writes, and other I/O-bound tasks simultaneously with Python's quintessential async libraries.

🔄 🌐 Handle thousands of HTTP requests, disk writes, and other I/O-bound tasks simultaneously with Python's quintessential async libraries.

A Python obfuscator using HTTP Requests and Hastebin.
A Python obfuscator using HTTP Requests and Hastebin.

🔨 Jawbreaker 🔨 Jawbreaker is a Python obfuscator written in Python3, using double encoding in base16, base32, base64, HTTP requests and a Hastebin-l

Comments
  • Error Execution

    Error Execution

    Hello,

    when I run the script I have this error:

    
    Traceback (most recent call last):
      File "/opt/HTTP-SMUGGLING/http-request-smuggling/smuggle.py", line 130, in <module>
        utils.print_header()
      File "/opt/HTTP-SMUGGLING/http-request-smuggling/lib/Utils.py", line 43, in print_header
        cprint(figlet_format(self.title.center(20), font='cybermedium'), 'red', attrs=['bold'])
      File "/usr/lib/python3/dist-packages/pyfiglet/__init__.py", line 65, in figlet_format
        fig = Figlet(font, **kwargs)
      File "/usr/lib/python3/dist-packages/pyfiglet/__init__.py", line 794, in __init__
        self.setFont()
      File "/usr/lib/python3/dist-packages/pyfiglet/__init__.py", line 801, in setFont
        self.Font = FigletFont(font=self.font)
      File "/usr/lib/python3/dist-packages/pyfiglet/__init__.py", line 126, in __init__
        self.data = self.preloadFont(font)
      File "/usr/lib/python3/dist-packages/pyfiglet/__init__.py", line 147, in preloadFont
        raise FontNotFound(font)
    pyfiglet.FontNotFound: cybermedium
    
    

    I have installed pyfiglet library

    A greeting and thanks

    opened by tXambe 3
  • script hang out

    script hang out

    I add this payload:

    		{
    			"type": "space3",
    			"content_length_key": "Content-Length:",
    			"transfer_encoding": {
    				"te_key": "Transfer-Encoding[space here]:",
    				"te_value": "chunked"
    			}
    		},
    

    and the script hang out

    opened by cyal1 2
  • added support for non default ports

    added support for non default ports

    Current version ignores the explicitly specified port and replaces it with either 80 or 443 based on protocol, this commit fixes this behavior and the program will correctly use the custom port when specified.

    opened by Tox1k 0
Releases(v0.1)
  • v0.1(Dec 22, 2020)

    In v0.1 release, the implementation allows only to detect whether the application is vulnerable to (CL.TE) or (TE.CL) and the detection logic is followed by portswigger HRS research. more accurately the tool has built-in payloads which has around 37 permutes and detection payloads for both (CL.TE) and (TE.CL) variants.

    And most importantly it has (--retry) option which means you can retry the same payload based on the retry value, which gives us an option to detect this vulnerability more accurately.

    Source code(tar.gz)
    Source code(zip)
Owner
Anshuman Pattnaik
I am a developer and worked on various platforms and frameworks such as Android, Node.js, Go, React/Redux, Blockchain, Web hacking, Penetration Testing, Unity3D
Anshuman Pattnaik
Python requests like API built on top of Twisted's HTTP client.

treq: High-level Twisted HTTP Client API treq is an HTTP library inspired by requests but written on top of Twisted's Agents. It provides a simple, hi

Twisted Matrix Labs 553 Dec 18, 2022
As easy as /aitch-tee-tee-pie/ 🥧 Modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more. https://twitter.com/httpie

HTTPie: human-friendly CLI HTTP client for the API era HTTPie (pronounced aitch-tee-tee-pie) is a command-line HTTP client. Its goal is to make CLI in

HTTPie 25.4k Jan 01, 2023
Some example code for using a raspberry pi to draw text (including emojis) and twitch emotes to a HUB75 RGB matrix via an HTTP post endpoint.

Some example code for using a raspberry pi to draw text (including emojis) and twitch emotes to a HUB75 RGB matrix via an HTTP post endpoint.

7 Nov 05, 2022
PycURL - Python interface to libcurl

PycURL -- A Python Interface To The cURL library PycURL is a Python interface to libcurl, the multiprotocol file transfer library. Similarly to the ur

PycURL 933 Jan 09, 2023
Aiohttp-openmetrics - OpenMetrics endpoint provider for aiohttp

aiohttp-openmetrics This project contains a simple middleware and /metrics route

Jelmer Vernooij 1 Dec 15, 2022
HackerNews digest using GitHub actions

HackerNews Digest This script makes use of GitHub actions to send daily newsletters with the top 10 posts from HackerNews of the previous day. How to

Rajkumar S 3 Jan 19, 2022
An interactive command-line HTTP and API testing client built on top of HTTPie featuring autocomplete, syntax highlighting, and more. https://twitter.com/httpie

HTTP Prompt HTTP Prompt is an interactive command-line HTTP client featuring autocomplete and syntax highlighting, built on HTTPie and prompt_toolkit.

HTTPie 8.6k Dec 31, 2022
Python Simple SOAP Library

PySimpleSOAP / soap2py Python simple and lightweight SOAP library for client and server webservices interfaces, aimed to be as small and easy as possi

PySimpleSOAP 369 Jan 02, 2023
A next generation HTTP client for Python. 🦋

HTTPX - A next-generation HTTP client for Python. HTTPX is a fully featured HTTP client for Python 3, which provides sync and async APIs, and support

Encode 9.8k Jan 05, 2023
Asynchronous Python HTTP Requests for Humans using Futures

Asynchronous Python HTTP Requests for Humans Small add-on for the python requests http library. Makes use of python 3.2's concurrent.futures or the ba

Ross McFarland 2k Dec 30, 2022
Get the HTTP code of websites along with a cute cat picture

Cat Requests What is this? Cat requests allows you to both get the HTTP response code of the website you wish and it displays it to your screen as a c

Oakchris1955 3 Feb 27, 2022
A toolbelt of useful classes and functions to be used with python-requests

The Requests Toolbelt This is just a collection of utilities for python-requests, but don't really belong in requests proper. The minimum tested reque

892 Jan 06, 2023
Asynchronous Python HTTP Requests for Humans using twisted

Asynchronous Python HTTP Requests for Humans Small add-on for the python requests http library. Makes use twisted's ThreadPool, so that the requests'A

Pierre Tardy 32 Oct 27, 2021
Screaming-fast Python 3.5+ HTTP toolkit integrated with pipelining HTTP server based on uvloop and picohttpparser.

Screaming-fast Python 3.5+ HTTP toolkit integrated with pipelining HTTP server based on uvloop and picohttpparser.

Paweł Piotr Przeradowski 8.6k Jan 04, 2023
Single-file replacement for python-requests

mureq mureq is a single-file, zero-dependency replacement for python-requests, intended to be vendored in-tree by Linux systems software and other lig

Shivaram Lingamneni 267 Dec 28, 2022
Aiosonic - lightweight Python asyncio http client

aiosonic - lightweight Python asyncio http client Very fast, lightweight Python asyncio http client Here is some documentation. There is a performance

Johanderson Mogollon 93 Jan 06, 2023
Asynchronous HTTP client/server framework for asyncio and Python

Async http client/server framework Key Features Supports both client and server side of HTTP protocol. Supports both client and server Web-Sockets out

aio-libs 13.1k Jan 01, 2023
T-Reqs: A grammar-based HTTP Fuzzer

T-Reqs HTTP Fuzzer T-Reqs (Two Requests) is a grammar-based HTTP Fuzzer written as a part of the paper titled "T-Reqs: HTTP Request Smuggling with Dif

Bahruz Jabiyev 207 Dec 06, 2022
r - a small subset of Python Requests

r a small subset of Python Requests a few years ago, when I was first learning Python and looking for http functionality, i found the batteries-includ

Gabriel Sroka 4 Dec 15, 2022
Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more.

urllib3 is a powerful, user-friendly HTTP client for Python. Much of the Python ecosystem already uses urllib3 and you should too. urllib3 brings many

urllib3 3.2k Jan 02, 2023