stv0g/libwebsockets
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
libwebsockets/test-server/attack.sh

274 lines
12 KiB
Bash
Raw Permalink Normal View History

Use bash as a script interpreter The test-server/attack.sh script makes use of several features only available in the Bash shell, so mark it accordingly.
2015-10-01 12:17:07 +03:00
#!/bin/bash
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
#
# attack the test server and try to make it fall over
#
SERVER=127.0.0.1
PORT=7681
LOG=/tmp/lwslog
attack.sh update for test server changes Currently he can survive all the tests correctly Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-04 12:04:59 +08:00
A=`which libwebsockets-test-server`
INSTALLED=`dirname $A`
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
CPID=
LEN=0
function check {
kill -0 $CPID
if [ $? -ne 0 ] ; then
echo "(killed it) *******"
exit 1
fi
dd if=$LOG bs=1 skip=$LEN 2>/dev/null
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
if [ "$1" = "default" ] ; then
attack.sh update for test server changes Currently he can survive all the tests correctly Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-04 12:04:59 +08:00
diff /tmp/lwscap $INSTALLED/../share/libwebsockets-test-server/test.html > /dev/null
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
if [ $? -ne 0 ] ; then
echo "FAIL: got something other than test.html back"
exit 1
fi
fi
if [ "$1" = "forbidden" ] ; then
attack.sh update for test server changes Currently he can survive all the tests correctly Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-04 12:04:59 +08:00
if [ -z "`grep '<h1>403</h1>' /tmp/lwscap`" ] ; then
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
echo "FAIL: should have told forbidden (test server has no dirs)"
exit 1
fi
fi
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
if [ "$1" == "1" ] ; then
a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep URI\ Arg\ 1\: | tr -s ' ' | cut -d' ' -f5-`"
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
if [ "$a" != "$2" ] ; then
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
echo "Arg 1 '$a' not $2"
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
exit 1
fi
fi
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
if [ "$1" == "2" ] ; then
a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep URI\ Arg\ 2\: | tr -s ' ' | cut -d' ' -f5-`"
if [ "$a" != "$2" ] ; then
echo "Arg 2 '$a' not $2"
exit 1
fi
fi
if [ "$1" == "3" ] ; then
a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep URI\ Arg\ 3\: | tr -s ' ' | cut -d' ' -f5-`"
if [ "$a" != "$2" ] ; then
echo "Arg 3 '$a' not $2"
exit 1
fi
fi
if [ -z "$1" ] ; then
LEN=`stat $LOG -c %s`
fi
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
}
rm -rf $LOG
killall libwebsockets-test-server 2>/dev/null
libwebsockets-test-server -d31 2>> $LOG &
CPID=$!
while [ -z "`grep Listening $LOG`" ] ; do
sleep 0.5s
done
check
uriencoding deal with0uriencoded question mark properly Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-14 19:42:26 +08:00
echo
echo "---- /cgi-bin/settingsjs?UPDATE_SETTINGS=1&Root_Channels_1_Channel_name_http_post=%3F&Root_Channels_1_Channel_location_http_post=%3F"
rm -f /tmp/lwscap
echo -e "GET /cgi-bin/settingsjs?UPDATE_SETTINGS=1&Root_Channels_1_Channel_name_http_post=%3F&Root_Channels_1_Channel_location_http_post=%3F HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check 1 "UPDATE_SETTINGS=1"
check 2 "Root_Channels_1_Channel_name_http_post=?"
check 3 "Root_Channels_1_Channel_location_http_post=?"
check
uriencoding deal with0uriencoded question mark properly Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-14 19:42:26 +08:00
uridecoding support optional semicolon as delimiter Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-18 15:20:09 +08:00
echo
echo "---- ? processing (/cgi-bin/settings.js?key1=value1)"
rm -f /tmp/lwscap
echo -e "GET /cgi-bin/settings.js?key1=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check 1 "key1=value1"
check
uridecoding disallow uriencoded equals in name part Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-18 15:40:03 +08:00
echo
echo "---- ? processing (/test?key1%3d2=value1)"
rm -f /tmp/lwscap
echo -e "GET /test?key1%3d2=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check 1 "key1_2=value1"
check
uridecoding support optional semicolon as delimiter Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-18 15:20:09 +08:00
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
echo
echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=1)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./test.html?arg=1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check 1 "arg=1"
check
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
echo
echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=/../.)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./test.html?arg=/../. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check 1 "arg=/../."
check
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
echo
echo "---- spam enough crap to not be GET"
echo "not GET" | nc $SERVER $PORT
check
echo
echo "---- spam more than the name buffer of crap"
dd if=/dev/urandom bs=1 count=80 2>/dev/null | nc -i1s $SERVER $PORT
check
echo
echo "---- spam 10MB of crap"
dd if=/dev/urandom bs=1 count=655360 | nc -i1s $SERVER $PORT
check
echo
echo "---- malformed URI"
echo "GET nonsense................................................................................................................" \
| nc -i1s $SERVER $PORT
check
echo
echo "---- missing URI"
echo -e "GET HTTP/1.1\x0d\x0a\x0d\x0a" | nc -i1s $SERVER $PORT >/tmp/lwscap
check
echo
echo "---- repeated method"
echo -e "GET blah HTTP/1.1\x0d\x0aGET blah HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT >/tmp/lwscap
check
echo
echo "---- crazy header name part"
echo -e "GET blah HTTP/1.1\x0d\x0a................................................................................................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc -i1s $SERVER $PORT
check
echo
echo "---- excessive uri content"
echo -e "GET ................................................................................................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc -i1s $SERVER $PORT
check
echo
echo "---- good request but http payload coming too (should be ignored and test.html served)"
real http status codes update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 07:30:33 +08:00
echo -e "GET /test.html HTTP/1.1\x0d\x0a\x0d\x0aILLEGAL-PAYLOAD........................................" \
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET /../../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check forbidden
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 2 (/../ should be /)"
rm -f /tmp/lwscap
echo -e "GET /../ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
echo
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo "---- directory attack 3 (/./ should be /)"
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
rm -f /tmp/lwscap
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo -e "GET /./ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
back up directory paths properly Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 06:53:21 +08:00
echo "---- directory attack 4 (/blah/.. should be /)"
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
rm -f /tmp/lwscap
echo -e "GET /blah/.. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
back up directory paths properly Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 06:53:21 +08:00
echo "---- directory attack 5 (/blah/../ should be /)"
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
rm -f /tmp/lwscap
echo -e "GET /blah/../ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
back up directory paths properly Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 06:53:21 +08:00
echo "---- directory attack 6 (/blah/../. should be /)"
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
rm -f /tmp/lwscap
echo -e "GET /blah/../. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 7 (/%2e%2e%2f../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET /%2e%2e%2f../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check forbidden
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 7 (%2f%2e%2e%2f%2e./.%2e/.%2e%2fetc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./.%2e/.%2e%2fetc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check forbidden
http uri arguments process in fragments This makes the URI argument processing split each parameter into a "fragment". Processing header content as fragments already exists in lws, because it's legal to deliver header content by repeating the header. Now there's an api to access individual fragments, also add the code to the test server to print each URI argument separately. Adapt attack.sh to parse the fragments. Signed-off-by: Andy Green <andy.green@linaro.org>
2015-12-15 22:57:19 +08:00
check
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
echo
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
echo "--- survived OK ---"
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
kill -2 $CPID
attack.sh exit 0 on success Signed-off-by: Andy Green <andy.green@linaro.org>
2016-01-31 11:53:49 +08:00
exit 0
Reference in a new issue Copy permalink