Show HN: The HTTP Garden – A Parser Vulnerability Research Tool
github.comI wrote this tool during an internship at Narf Industries in 2023. It's a REPL that allows for quickly developing, testing, and fuzzing for HTTP request smuggling attack payloads.
I started the internship having never worked with web servers, and have now found over 100 HTTP implementation bugs. I attribute this mostly to the ease of experimentation in the Garden. REPL-oriented fuzzing is just a really good interface for finding parsing bugs. It's pretty neat to able to run a differential fuzzer, categorize and display all the discovered discrepancies, then let a human pick through them and interact with fuzz targets to test whether the bugs are exploitable.
Some notable server combinations in which we discovered new request smuggling attacks include Google Cloud <-> Node.js, Akamai <-> Node.js, [almost anything] <-> LiteSpeed, and OpenBSD relayd <-> [anything].
We also found an infinite loop DoS in Cesanta Mongoose that affects all configurations, and a null pointer dereference that can crash any OpenBSD httpd server that uses FastCGI. > AIOHTTP: The Python int constructor is used to parse Content-Lengths and chunk-sizes, so _, +, and - are misinterpreted. Fun. I believe the fix is incomplete here[1]. Python's int() constructor (and related methods) accepts integers comprised of any unicode numeral, for example, int("٦٦٦") == 666, and "٦٦٦".isdecimal() == True. NB: I haven't tested this more thoroughly and I'm not sure I'm actually looking at the right diff for the fix. [1] https://github.com/aio-libs/aiohttp/pull/7663/files#diff-197... There's a lot of recurring bugs here (listed as "trophies" look for the ones which either are identical in form or very similar) which ought to (but probably won't) inform test suites for any new tools. Yeah, I should really rewrite the README to bucket bugs by behavior instead of server; there's a decent amount of redundancy in the set of discovered bugs.