]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5e6060b)
Adds a testcase for HTTP multiple content-length 131/head
authorPhilippe Antoine <contact@catenacyber.fr>
Mon, 4 Mar 2019 16:27:57 +0000 (17:27 +0100)
committerVictor Julien <victor@inliniac.net>
Tue, 24 Sep 2019 10:44:52 +0000 (12:44 +0200)
tests/http-multiple-cl/README.md [new file with mode: 0644] patch | blob
tests/http-multiple-cl/client.py [new file with mode: 0644] patch | blob
tests/http-multiple-cl/input.pcap [new file with mode: 0644] patch | blob
tests/http-multiple-cl/test.rules [new file with mode: 0644] patch | blob
tests/http-multiple-cl/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/http-multiple-cl/README.md b/tests/http-multiple-cl/README.md
new file mode 100644 (file)
index 0000000..d00531b
--- /dev/null
+++ b/tests/http-multiple-cl/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test HTTP parsing against multiple different content-length.
+
+# PCAP
+
+The pcap comes from running `python -m SimpleHTTPServer 8000` or `python3 -m http.server` as a server and the present dummy python script client.py
diff --git a/tests/http-multiple-cl/client.py b/tests/http-multiple-cl/client.py
new file mode 100644 (file)
index 0000000..5f2c372
--- /dev/null
+++ b/tests/http-multiple-cl/client.py
@@ -0,0 +1,20 @@
+import socket
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect(("127.0.0.1", 8000))
+
+dummyContent = "bar=1&foo=2"
+badContent = "badbar=5&badfoo=6"
+badReq = "POST /bad.php HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length:{:d}\r\n\r\n{}".format(
+    len(badContent), badContent)
+evilContent = "evilbar=3&evilfoo=4"
+evilReq = "POST /evil.php HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length:{:d}\r\n\r\n{}".format(
+    len(evilContent)+len(badReq), evilContent)
+
+# This attempts request smuggling with different content-length values
+a = sock.send("POST /which.php HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length:{:d}\r\nContent-Length:{:d}\r\n\r\n{}{}{}".format(
+    len(dummyContent), len(dummyContent)+len(evilReq), dummyContent, evilReq, badReq))
+data = sock.recv(10000)
+print("Received {}".format(data))
+
+sock.close()
diff --git a/tests/http-multiple-cl/input.pcap b/tests/http-multiple-cl/input.pcap
new file mode 100644 (file)
index 0000000..ef9a914
Binary files /dev/null and b/tests/http-multiple-cl/input.pcap differ
diff --git a/tests/http-multiple-cl/test.rules b/tests/http-multiple-cl/test.rules
new file mode 100644 (file)
index 0000000..1b6d1cd
--- /dev/null
+++ b/tests/http-multiple-cl/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"SURICATA HTTP duplicate content length field in request"; flow:established,to_server; app-layer-event:http.duplicate_content_length_field_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221034; rev:1;)
diff --git a/tests/http-multiple-cl/test.yaml b/tests/http-multiple-cl/test.yaml
new file mode 100644 (file)
index 0000000..91637f5
--- /dev/null
+++ b/tests/http-multiple-cl/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2221034
Mirror of https://github.com/OISF/suricata-verify.git