PageRenderTime 39ms CodeModel.GetById 14ms RepoModel.GetById 0ms app.codeStats 0ms

/HTTP/Fuzzer.pm

https://code.google.com/
Perl | 376 lines | 223 code | 41 blank | 112 comment | 29 complexity | 43595dbefdf9375037f958aad4cc2e97 MD5 | raw file
    

  1. package HTTP::Fuzzer;
    2. 

  2. 

  3. =pod
    4. 

  4. =head1 NAME
    5. 

  5. 

  6. HTTP::Fuzzer - An extensible HTTP Fuzzer
    7. 

  7. 

  8. =head1 SYNOPSIS
    9. 

  9. 

  10.  use HTTP::Fuzzer;
    11. 

  11.  use HTTP::Fuzzer::WordListGenerator;
    12. 

  12.  
    13. 

  13.  sub handleHttpRequest($$$$) {
    14. 

  14.     my $params = shift;         
    15. 

  15.     my $request = shift;
    16. 

  16.     my $responseCode = shift;
    17. 

  17.     my $responseContent = shift;
    18. 

  18.     
    19. 

  19.     if ($responseCode == 200) {
    20. 

  20.         while (my ($k,$v) = each %$params) {
    21. 

  21.             print "$k: $v\n";
    22. 

  22.         }
    23. 

  23.     }
    24. 

  24.  }
    25. 

  25.  
    26. 

  26.  my $fuzzer = new HTTP::Fuzzer();
    27. 

  27.  
    28. 

  28.  # simple use case
    29. 

  29.  $fuzzer->addService(
    30. 

  30.     host    => 'http://127.0.0.1',
    31. 

  31.     url     => '/{path}',
    32. 

  32.     filter_response_codes => '404',
    33. 

  33.     handler => \&handleHttpRequest );
    34. 

  34. 

  35.  $fuzzer->addFuzzingValue('path', 'admin');
    36. 

  36.  $fuzzer->addFuzzingValue('path', 'install');
    37. 

  37.  $fuzzer->run();
    38. 

  38.  
    39. 

  39.  # more complicated test case
    40. 

  40.  $fuzzer->addService(
    41. 

  41.     method  => 'POST',
    42. 

  42.     host    => 'http://ws.contoso.com',
    43. 

  43.     url     => '/books',
    44. 

  44.     content => '<book><isbn>{isbn}</isbn><title>{title}</title></book>'
    45. 

  45.     filter_response_codes => '404',
    46. 

  46.     handler => \&handleHttpRequest );
    47. 

  47. 

  48.  $fuzzer->setHttpProxy('http://192.168.1.1:8080');
    49. 

  49. 

  50.  my $limit = 1000;
    51. 

  51.  $fuzzer->addFuzzingValue('isbn', '<a>'x$limit . 'haha' . '</a>'x$limit);
    52. 

  52.  $fuzzer->addFuzzingValue('isbn', new HTTP::Fuzzer::WordListGenerator(file => 'D:\Tools\Wordlists\books_isbn.txt'));
    53. 

  53.  $fuzzer->addFuzzingValue('title', '<a>'x$limit . 'haha' . '</a>'x$limit);
    54. 

  54.  $fuzzer->addFuzzingValue('title', new HTTP::Fuzzer::WordListGenerator(file => 'D:\Tools\Wordlists\books_title.txt'));
    55. 

  55.  $fuzzer->run();
    56. 

  56.  
    57. 

  57. =head2 FUZZING
    58. 

  58. 

  59. Fuzzed parameters are to be surrounded by curly brackets, such as C<{isbn}> or
    60. 

  60. C<{title}>. For every parameter you have to specify at least one value or
    61. 

  61. a way of generating values, such as word lists, regular expressions, ...
    62. 

  62. 

  63. It is not allowed to encapsulate parameters.
    64. 

  64. 

  65. =head2 ENCODINGS
    66. 

  66. 

  67. Any part of the request can be encoded as needed:
    68. 

  68. 

  69.  my $headers = [
    70. 

  70.     Authorization => 'BASIC BASE64{{username}:{password}}'
    71. 

  71.  ];
    72. 

  72.  $fuzzer->addService(
    73. 

  73.     method  => 'GET',
    74. 

  74.     host    => 'http://ws.contoso.com',
    75. 

  75.     url     => '/',
    76. 

  76.     filter_response_codes => '403',
    77. 

  77.     headers => $headers,
    78. 

  78.     handler => \&handleHttpRequest );
    79. 

  79. 

  80. All encodings process exactly one argument (eg. C<'{username}:{password}'>,
    81. 

  81. after substituting the value for C<username> and C<password>).
    82. 

  82. 

  83. Currently, the following encodings are available:
    84. 

  84. 

  85. =over
    86. 

  86. =item URLENCODE
    87. 

  87. =item HTMLENCODE
    88. 

  88. =item BASE64
    89. 

  89. =item MD5
    90. 

  90. =item SHA1
    91. 

  91. =item XML
    92. 

  92. 

  93. You may, if this makes sense to you, encapsulate encodings, such as
    94. 

  94. 

  95.  my $url = 'login.php?username=URLENCODE{{username}}&password=URLENCODE{SHA1{{username}:{password}}}';
    96. 

  96.  
    97. 

  97. =cut
    98. 

  98. 

  99. use strict;
    100. 

  100. use REST::Client;
    101. 

  101. use HTTP::Fuzzer::Encoder;
    102. 

  102. use Data::Dumper;
    103. 

  103. use Carp::Assert;
    104. 

  104. 

  105. use constant {
    106. 

  106.   E_XML => \&escape_xml,
    107. 

  107.   E_URI => \&uri_encode,
    108. 

  108.   E_HTML => \&htmlentities
    109. 

  109. };
    110. 

  110. 

  111. use constant {
    112. 

  112.     FUZZER_DEBUG   => 0
    113. 

  113. };
    114. 

  114. 

  115. =pod
    116. 

  116. Running mode:
    117. 

  117. OFFLINE => the callback function is invocated with all values despite responseCode and responseContent;
    118. 

  118. the request is not sent
    119. 

  119. 

  120. ONLINE =>  send a request and invoke the callback function with request and response parameters
    121. 

  121. =cut
    122. 

  122. use constant {
    123. 

  123.     OFFLINE => 'offline',
    124. 

  124.     ONLINE  => 'online'
    125. 

  125. };
    126. 

  126. 

  127. sub TRACE {
    128. 

  128.     print (@_) if(FUZZER_DEBUG);
    129. 

  129. }
    130. 

  130. 

  131. sub extract_params($$) {
    132. 

  132.     my $self = shift;
    133. 

  133.     my $svc = shift;
    134. 

  134.     my @params = ();
    135. 

  135.     
    136. 

  136.     # find last parameter and remove it from the string
    137. 

  137.     while ($svc =~ s/(.*)PARAMETER\{(\w+)\}(.*)/$1$3/) {
    138. 

  138.         my $param = $2;
    139. 

  139.         $param =~ m/[a-zA-Z0-9]+/ or die "invalid character in parameter '$param'";
    140. 

  140.         unshift @params, $param;
    141. 

  141.     }
    142. 

  142.     return @params
    143. 

  143. }
    144. 

  144. 

  145. sub combine_values($$$$) {
    146. 

  146.     my $self = shift;
    147. 

  147.     my $svc = shift;
    148. 

  148.     my $dst = shift;
    149. 

  149.     my $src = shift;
    150. 

  150.     
    151. 

  151.     if (@$src == 0) {
    152. 

  152.         $self->sendRequest($svc, $dst);
    153. 

  153.         return;
    154. 

  154.     }
    155. 

  155.     
    156. 

  156.     my $param = shift @$src;
    157. 

  157.     #print STDERR "BEGIN handle $param\n";
    158. 

  158.     
    159. 

  159.     my $values = $self->{values}->{$param};
    160. 

  160.     
    161. 

  161.     # add all generators as default values
    162. 

  162.     if (! defined($values)) {
    163. 

  163.         die "no default values for {$param} found ...\n";
    164. 

  164.     }
    165. 

  165.     
    166. 

  166.     # create combinations of values
    167. 

  167.     foreach my $value (@$values) {
    168. 

  168.         if (ref($value) && $value->isa('HTTP::Fuzzer::AbstractGenerator')) {
    169. 

  169.           my $generator = $value;
    170. 

  170.           
    171. 

  171.           # acquire required parameters, to pass it to the generator function
    172. 

  172.           my %reqs = ();
    173. 

  173.           for my $req (@{$self->{requirements}->{$param}}) {
    174. 

  174.               $reqs{$req} = $dst->{$req}
    175. 

  175.                   or die "unresolved requirement: $param requires $req\n";
    176. 

  176.           }
    177. 

  177.           
    178. 

  178.           $generator->init(%reqs);
    179. 

  179.           while ($generator->hasNext()) {
    180. 

  180.               $dst->{$param} = $generator->next();
    181. 

  181.               assert(defined($dst->{$param}));
    182. 

  182.               $self->combine_values($svc, $dst, $src);
    183. 

  183.           }
    184. 

  184.         } else {
    185. 

  185.             $dst->{$param} = $value;
    186. 

  186.             $self->combine_values($svc, $dst, $src);
    187. 

  187.         }
    188. 

  188.     }     
    189. 

  189.     #print STDERR "END handle $param\n";    
    190. 

  190.     unshift @$src, $param;
    191. 

  191. }
    192. 

  192. 

  193. sub mask_parameters($$) {
    194. 

  194.     my $self = shift;
    195. 

  195.     my $template = shift || return '';
    196. 

  196.     
    197. 

  197.     if (ref($template) eq 'HASH') {
    198. 

  198.       while(my($k,$v) = each %$template) {
    199. 

  199.         $template->{$k} = $self->mask_parameters($v);
    200. 

  200.       }
    201. 

  201.       return $template;
    202. 

  202.     }
    203. 

  203.     
    204. 

  204.     my $encodings = join('|', @{$self->{encoder}->get_encodings()}, 'PARAMETER');
    205. 

  205.     $template = reverse $template;
    206. 

  206.     $encodings = reverse $encodings; 
    207. 

  207.     
    208. 

  208.     $template =~ s/(\}\w+\{)(?!$encodings)/$1RETEMARAP/g;
    209. 

  209.     
    210. 

  210.     $template = reverse $template;
    211. 

  211.     return $template;
    212. 

  212. }
    213. 

  213. 

  214. sub sendRequest($$$) {
    215. 

  215.     my $self = shift;
    216. 

  216.     my $svc = shift;
    217. 

  217.     my $params = shift;
    218. 

  218.     my @request_params = ();
    219. 

  219.     my $content = undef;
    220. 

  220.     my %response = ();
    221. 

  221.     my $new_svc = $self->{encoder}->apply_all_parameters($svc, $params);
    222. 

  222.         
    223. 

  223.     $self->{request_count}++;
    224. 

  224.     my $client = REST::Client->new(
    225. 

  225.         host    => $svc->{host},
    226. 

  226.         cert    => $svc->{cert},
    227. 

  227.         key     => $svc->{key},
    228. 

  228.         ca      => $svc->{ca},
    229. 

  229.         follow  => 1
    230. 

  230.         );
    231. 

  231.     $client->getUseragent()->ssl_opts('verify_hostname' => 0);
    232. 

  232.     if (defined($self->{http_proxy}) && $self->{http_proxy}) {
    233. 

  233.         $client->getUseragent()->proxy(['http', 'https'], $self->{http_proxy});
    234. 

  234.     }
    235. 

  235. 

  236.     if ($self->{mode} eq ONLINE) {
    237. 

  237.         $client->request($new_svc->{method},
    238. 

  238.                          $new_svc->{url},
    239. 

  239.                          $new_svc->{content},
    240. 

  240.                          $new_svc->{headers});
    241. 

  241.         
    242. 

  242.         # filter unwanted response codes
    243. 

  243.         if (defined $svc->{filter_response_codes}) {
    244. 

  244.             return if ($client->responseCode() =~ m/$svc->{filter_response_codes}/o);
    245. 

  245.         }
    246. 

  246.         
    247. 

  247.         $response{responseCode} = $client->responseCode();
    248. 

  248.         $response{responseContent} = $client->responseContent();
    249. 

  249.         $response{responseHeader} = $client->responseHeader();
    250. 

  250.     }
    251. 

  251.     $svc->{handler}->(
    252. 

  252.         params  => $params,
    253. 

  253.         method  => $new_svc->{method},
    254. 

  254.         host    => $new_svc->{host},
    255. 

  255.         url     => $new_svc->{url},
    256. 

  256.         content => $new_svc->{content},
    257. 

  257.         headers => $new_svc->{headers},
    258. 

  258.         %response);
    259. 

  259. }
    260. 

  260. 

  261. 

  262. sub sort_parameters($$) {
    263. 

  263.     my $self = shift;
    264. 

  264.     my $parameters = shift;
    265. 

  265. 

  266.     my @sorted_parameters = ();
    267. 

  267.     my %dependants = ();
    268. 

  268.     my %handled = ();
    269. 

  269.     
    270. 

  270.     my $param_count = 0;
    271. 

  271.     foreach my $param (@$parameters) {
    272. 

  272.         $dependants{$param} = $self->{requirements}->{$param};
    273. 

  273.         $param_count++;
    274. 

  274.     }
    275. 

  275.     # sort topologically
    276. 

  276.     while ($param_count > 0) {
    277. 

  277.         #trace(\%dependants);
    278. 

  278.         my $removed_key = 0;
    279. 

  279.         while (my ($param, $reqs) = each %dependants) {
    280. 

  280.             my $requirement_missing = 0;
    281. 

  281.             foreach my $requirement (@$reqs) {
    282. 

  282.                 if (length($requirement)>0 && ! exists $handled{$requirement}) {
    283. 

  283.                     $requirement_missing = 1;
    284. 

  284.                     last;
    285. 

  285.                 }
    286. 

  286.             }
    287. 

  287.             if (not $requirement_missing) {
    288. 

  288.                 push @sorted_parameters, $param;
    289. 

  289.                 $handled{$param} = 1;
    290. 

  290.                 delete $dependants{$param};
    291. 

  291.                 $removed_key = 1;
    292. 

  292.                 $param_count--;
    293. 

  293.                 last;
    294. 

  294.             }
    295. 

  295.         }
    296. 

  296.         #die "unresolvable requirements" if $removed_key == 0;
    297. 

  297.     }
    298. 

  298.     return \@sorted_parameters;
    299. 

  299. }
    300. 

  300. 

  301. sub new($) {
    302. 

  302.     my $class = shift;
    303. 

  303.     my $self = {
    304. 

  304.         services    => [],
    305. 

  305.         defaults    => {},
    306. 

  306.         engines     => {},
    307. 

  307.         responses   => {},
    308. 

  308.         http_proxy  => undef,
    309. 

  309.         encoder     => new HTTP::Fuzzer::Encoder()
    310. 

  310.     };
    311. 

  311.     bless($self, $class);
    312. 

  312.     return $self;
    313. 

  313. }
    314. 

  314. 

  315. sub setHttpProxy($$) {
    316. 

  316.     my $self = shift;
    317. 

  317.     $self->{http_proxy} = shift;
    318. 

  318. }
    319. 

  319. 

  320. sub addService($%) {
    321. 

  321.     my $self = shift;
    322. 

  322.     my %args = @_;
    323. 

  323.     
    324. 

  324.     my $svc =  {
    325. 

  325.         method  =>  $args{method} || 'GET',
    326. 

  326.         host    =>  $args{host},
    327. 

  327.         url     =>  $self->mask_parameters($args{url}),
    328. 

  328.         content =>  $self->mask_parameters($args{content}),
    329. 

  329.         headers =>  $self->mask_parameters($args{headers}) || {},
    330. 

  330.         url_escape => \&url_escape,
    331. 

  331.         content_escape => \&escape_xml,
    332. 

  332.         handler => ($args{handler} or die "required argument missing: 'handler'"),
    333. 

  333.         filter_response_codes => $args{filter_response_codes},
    334. 

  334.         requirements => {}};
    335. 

  335.     push @{$self->{services}}, $svc;
    336. 

  336. }
    337. 

  337. 

  338. sub addRequirement($$$) {
    339. 

  339.   my $self = shift;
    340. 

  340.   my $parameter = shift;
    341. 

  341.   my $requirement = shift;
    342. 

  342.   
    343. 

  343.   $self->{requirements}->{$parameter} = [] unless defined($self->{requirements}->{$parameter});
    344. 

  344.   push @{$self->{requirements}->{$parameter}}, $requirement;
    345. 

  345. }
    346. 

  346. 

  347. sub addFuzzingValue($$$) {
    348. 

  348.     my $self = shift;
    349. 

  349.     my $parameter = shift;
    350. 

  350.     my $value = shift;
    351. 

  351.     $self->{values}->{$parameter} ||= [];
    352. 

  352.     push @{$self->{values}->{$parameter}}, $value;
    353. 

  353. }
    354. 

  354. 

  355. sub run($;$) {
    356. 

  356.     my $self = shift;
    357. 

  357.     my $mode = shift || ONLINE;
    358. 

  358.     
    359. 

  359.     die "invalid mode: '$mode'"
    360. 

  360.         unless ($mode eq ONLINE || $mode eq OFFLINE);
    361. 

  361.     
    362. 

  362.     $self->{mode} = $mode;
    363. 

  363. 

  364.     foreach my $svc (@{$self->{services}}) {
    365. 

  365.         my @params = $self->extract_params($svc->{url});
    366. 

  366.         if (defined($svc->{content})) {
    367. 

  367.           push @params, $self->extract_params($svc->{content});
    368. 

  368.         }
    369. 

  369.         while (my ($k, $v) = each %{$svc->{headers}}) {
    370. 

  370.           push @params, $self->extract_params($v);
    371. 

  371.         }
    372. 

  372.         my $sorted_parameters = $self->sort_parameters(\@params);
    373. 

  373.         $self->combine_values($svc, {}, $sorted_parameters);
    374. 

  374.     }
    375. 

  375. }
    376. 

  376. 1;
    377.