stv0g/libwebsockets
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
libwebsockets/test-server/attack.sh

218 lines
10 KiB
Bash
Raw Permalink Normal View History

Use bash as a script interpreter The test-server/attack.sh script makes use of several features only available in the Bash shell, so mark it accordingly.
2015-10-01 12:17:07 +03:00
#!/bin/bash
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
#
# attack the test server and try to make it fall over
#
SERVER=127.0.0.1
PORT=7681
LOG=/tmp/lwslog
CPID=
LEN=0
function check {
kill -0 $CPID
if [ $? -ne 0 ] ; then
echo "(killed it) *******"
exit 1
fi
dd if=$LOG bs=1 skip=$LEN 2>/dev/null
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
if [ "$1" = "default" ] ; then
diff /tmp/lwscap /usr/share/libwebsockets-test-server/test.html > /dev/null
if [ $? -ne 0 ] ; then
echo "FAIL: got something other than test.html back"
exit 1
fi
fi
if [ "$1" = "forbidden" ] ; then
if [ -z "`grep '<h1>403 Forbidden</h1>' /tmp/lwscap`" ] ; then
echo "FAIL: should have told forbidden (test server has no dirs)"
exit 1
fi
fi
if [ "$1" == "args" ] ; then
a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep Uri.Args\: | tr -s ' ' | cut -d' ' -f4-`"
if [ "$a" != "$2" ] ; then
echo "Args '$a' not $2"
exit 1
fi
fi
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
LEN=`stat $LOG -c %s`
}
rm -rf $LOG
killall libwebsockets-test-server 2>/dev/null
libwebsockets-test-server -d31 2>> $LOG &
CPID=$!
while [ -z "`grep Listening $LOG`" ] ; do
sleep 0.5s
done
check
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
echo
echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=1)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./test.html?arg=1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check args "arg=1"
echo
echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=/../.)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./test.html?arg=/../. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check args "arg=/../."
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
echo
echo "---- spam enough crap to not be GET"
echo "not GET" | nc $SERVER $PORT
check
echo
echo "---- spam more than the name buffer of crap"
dd if=/dev/urandom bs=1 count=80 2>/dev/null | nc -i1s $SERVER $PORT
check
echo
echo "---- spam 10MB of crap"
dd if=/dev/urandom bs=1 count=655360 | nc -i1s $SERVER $PORT
check
echo
echo "---- malformed URI"
echo "GET nonsense................................................................................................................" \
| nc -i1s $SERVER $PORT
check
echo
echo "---- missing URI"
echo -e "GET HTTP/1.1\x0d\x0a\x0d\x0a" | nc -i1s $SERVER $PORT >/tmp/lwscap
check
echo
echo "---- repeated method"
echo -e "GET blah HTTP/1.1\x0d\x0aGET blah HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT >/tmp/lwscap
check
echo
echo "---- crazy header name part"
echo -e "GET blah HTTP/1.1\x0d\x0a................................................................................................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc -i1s $SERVER $PORT
check
echo
echo "---- excessive uri content"
echo -e "GET ................................................................................................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc -i1s $SERVER $PORT
check
echo
echo "---- good request but http payload coming too (should be ignored and test.html served)"
real http status codes update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 07:30:33 +08:00
echo -e "GET /test.html HTTP/1.1\x0d\x0a\x0d\x0aILLEGAL-PAYLOAD........................................" \
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET /../../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check forbidden
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 2 (/../ should be /)"
rm -f /tmp/lwscap
echo -e "GET /../ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
echo
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo "---- directory attack 3 (/./ should be /)"
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
rm -f /tmp/lwscap
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo -e "GET /./ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
back up directory paths properly Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 06:53:21 +08:00
echo "---- directory attack 4 (/blah/.. should be /)"
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
rm -f /tmp/lwscap
echo -e "GET /blah/.. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
back up directory paths properly Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 06:53:21 +08:00
echo "---- directory attack 5 (/blah/../ should be /)"
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
rm -f /tmp/lwscap
echo -e "GET /blah/../ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
back up directory paths properly Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 06:53:21 +08:00
echo "---- directory attack 6 (/blah/../. should be /)"
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
rm -f /tmp/lwscap
echo -e "GET /blah/../. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check default
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 7 (/%2e%2e%2f../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET /%2e%2e%2f../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check forbidden
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
echo
echo "---- directory attack 7 (%2f%2e%2e%2f%2e./.%2e/.%2e%2fetc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./.%2e/.%2e%2fetc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
check forbidden
uri santitation fixes deal with single dot update attack.sh Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-11 06:14:52 +08:00
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
echo
introduce uri args If the URI coming from the client contains '?' then - the URI part is terminated with a '\0' - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS - the remainder of the URI is not subject to path sanitization measures (it still has %xx processing done on it) In the test server, http requests now also dump header information to stderr. The attack.sh script is simplified and can now parse the test server header dumps. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00
echo "--- survived OK ---"
introduce attack script Seems like it would be a good idea to try to mess with the server at least before someone else does it for us Just run the script $ test-server/attack.sh it will spawn a test server and fire things at it. If you see the end result ---- survived then you should be OK. Signed-off-by: Andy Green <andy.green@linaro.org>
2013-02-12 12:56:05 +08:00
kill -2 $CPID
Reference in a new issue Copy permalink