From c40762f0eb9151a6355ba5dc7050394bf5d3881f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 4 Mar 2019 17:27:57 +0100 Subject: [PATCH] Adds a testcase for HTTP multiple content-length --- tests/http-multiple-cl/README.md | 7 +++++++ tests/http-multiple-cl/client.py | 20 ++++++++++++++++++++ tests/http-multiple-cl/input.pcap | Bin 0 -> 2005 bytes tests/http-multiple-cl/test.rules | 1 + tests/http-multiple-cl/test.yaml | 14 ++++++++++++++ 5 files changed, 42 insertions(+) create mode 100644 tests/http-multiple-cl/README.md create mode 100644 tests/http-multiple-cl/client.py create mode 100644 tests/http-multiple-cl/input.pcap create mode 100644 tests/http-multiple-cl/test.rules create mode 100644 tests/http-multiple-cl/test.yaml diff --git a/tests/http-multiple-cl/README.md b/tests/http-multiple-cl/README.md new file mode 100644 index 000000000..d00531bad --- /dev/null +++ b/tests/http-multiple-cl/README.md @@ -0,0 +1,7 @@ +# Description + +Test HTTP parsing against multiple different content-length. + +# PCAP + +The pcap comes from running `python -m SimpleHTTPServer 8000` or `python3 -m http.server` as a server and the present dummy python script client.py diff --git a/tests/http-multiple-cl/client.py b/tests/http-multiple-cl/client.py new file mode 100644 index 000000000..5f2c3728a --- /dev/null +++ b/tests/http-multiple-cl/client.py @@ -0,0 +1,20 @@ +import socket + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.connect(("127.0.0.1", 8000)) + +dummyContent = "bar=1&foo=2" +badContent = "badbar=5&badfoo=6" +badReq = "POST /bad.php HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length:{:d}\r\n\r\n{}".format( + len(badContent), badContent) +evilContent = "evilbar=3&evilfoo=4" +evilReq = "POST /evil.php HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length:{:d}\r\n\r\n{}".format( + len(evilContent)+len(badReq), evilContent) + +# This attempts request smuggling with different content-length values +a = sock.send("POST /which.php HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Length:{:d}\r\nContent-Length:{:d}\r\n\r\n{}{}{}".format( + len(dummyContent), len(dummyContent)+len(evilReq), dummyContent, evilReq, badReq)) +data = sock.recv(10000) +print("Received {}".format(data)) + +sock.close() diff --git a/tests/http-multiple-cl/input.pcap b/tests/http-multiple-cl/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ef9a914102012a8958526f3209a65270c3fb7e0d GIT binary patch literal 2005 zc-obeO-vI(6vwv(jcn3{;)Qr&Y$6|t-P!F2ZP#sWY^#t^Xk>{oF_@)0uuaPDx;v$C zQRCH<9KCt;Mm%{EKS;`fgqR3;2M_2#P>`QO#f=z!n;cl<=oXws_-w}cb(FiyA}Px#z=dWD^Xf#aOQ#H0*hRVx)W&eTjW zBFhCRaDtB=F>EXXAr#|y@*xu$L&r$R!7-%IVNDcHPbI=W*2m5$R#NDnHH>7)rK5#X zxlMQ?PDwP8(!%|8M2QiXIHRcTRvU9mQzOl7RK)sE#Y(vHou+A&@0V)jV> zUW4=ZTuv|H{5s;SQBM6pJc#lFn9}WvX&M$rDws!DGgL4*Km`~W^0AZ1T0oWvCQI{X z898}8Hw+3(h__i%(dej>3Vh|BR?$Uh+pz!pfGi3Y%~J`K?om&GZ1Fw zth*55cmcxPcz^}W_`J6sHEq_e-bp0E$5MKD|2M+9A9!LlNwBb7R|DvE3VO~VJESI zD>gSiAwM3?7shh=+_;>}f*^3c4O9c!KsPX`ZwIhevVmbD%YiiZlAwE53A$~d##wF4 zfLCk8fS=AX;8yLTx5L$%V?h70+u?}wyS;kWTh;S&y-kk)Y|i`j3!iJ9u(nU!dJg9w DTR$)T literal 0 Hc-jL100001 diff --git a/tests/http-multiple-cl/test.rules b/tests/http-multiple-cl/test.rules new file mode 100644 index 000000000..1b6d1cd5f --- /dev/null +++ b/tests/http-multiple-cl/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"SURICATA HTTP duplicate content length field in request"; flow:established,to_server; app-layer-event:http.duplicate_content_length_field_in_request; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221034; rev:1;) diff --git a/tests/http-multiple-cl/test.yaml b/tests/http-multiple-cl/test.yaml new file mode 100644 index 000000000..91637f566 --- /dev/null +++ b/tests/http-multiple-cl/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - HAVE_LIBJANSSON + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2221034 -- 2.47.2