stv0g/libwebsockets
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
libwebsockets/test-server/attack.sh
Andy Green 1e3f7b8de9 introduce uri args 
If the URI coming from the client contains '?' then

 - the URI part is terminated with a '\0'

 - the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS

 - the remainder of the URI is not subject to path sanitization measures (it
    still has %xx processing done on it)

In the test server, http requests now also dump header information to stderr.

The attack.sh script is simplified and can now parse the test server header dumps.

Signed-off-by: Andy Green <andy.green@linaro.org>
2013-11-13 07:45:17 +08:00

217 lines
10 KiB
Bash
Executable file
Raw Permalink Blame History

#!/bin/sh
#
# attack the test server and try to make it fall over
#
SERVER=127.0.0.1
PORT=7681
LOG=/tmp/lwslog
CPID=
LEN=0
function check {
kill -0 $CPID
if [ $? -ne 0 ] ; then
echo "(killed it) *******"
exit 1
fi
dd if=$LOG bs=1 skip=$LEN 2>/dev/null
if [ "$1" = "default" ] ; then
diff /tmp/lwscap /usr/share/libwebsockets-test-server/test.html > /dev/null
if [ $? -ne 0 ] ; then
echo "FAIL: got something other than test.html back"
exit 1
fi
fi
if [ "$1" = "forbidden" ] ; then
if [ -z "`grep '<h1>403 Forbidden</h1>' /tmp/lwscap`" ] ; then
echo "FAIL: should have told forbidden (test server has no dirs)"
exit 1
fi
fi
if [ "$1" == "args" ] ; then
a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep Uri.Args\: | tr -s ' ' | cut -d' ' -f4-`"
if [ "$a" != "$2" ] ; then
echo "Args '$a' not $2"
exit 1
fi
fi
LEN=`stat $LOG -c %s`
}
rm -rf $LOG
killall libwebsockets-test-server 2>/dev/null
libwebsockets-test-server -d31 2>> $LOG &
CPID=$!
while [ -z "`grep Listening $LOG`" ] ; do
sleep 0.5s
done
check
echo
echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=1)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./test.html?arg=1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check args "arg=1"
echo
echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=/../.)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./test.html?arg=/../. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check args "arg=/../."
echo
echo "---- spam enough crap to not be GET"
echo "not GET" | nc $SERVER $PORT
check
echo
echo "---- spam more than the name buffer of crap"
dd if=/dev/urandom bs=1 count=80 2>/dev/null | nc -i1s $SERVER $PORT
check
echo
echo "---- spam 10MB of crap"
dd if=/dev/urandom bs=1 count=655360 | nc -i1s $SERVER $PORT
check
echo
echo "---- malformed URI"
echo "GET nonsense................................................................................................................" \
| nc -i1s $SERVER $PORT
check
echo
echo "---- missing URI"
echo -e "GET HTTP/1.1\x0d\x0a\x0d\x0a" | nc -i1s $SERVER $PORT >/tmp/lwscap
check
echo
echo "---- repeated method"
echo -e "GET blah HTTP/1.1\x0d\x0aGET blah HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT >/tmp/lwscap
check
echo
echo "---- crazy header name part"
echo -e "GET blah HTTP/1.1\x0d\x0a................................................................................................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc -i1s $SERVER $PORT
check
echo
echo "---- excessive uri content"
echo -e "GET ................................................................................................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc -i1s $SERVER $PORT
check
echo
echo "---- good request but http payload coming too (should be ignored and test.html served)"
echo -e "GET /test.html HTTP/1.1\x0d\x0a\x0d\x0aILLEGAL-PAYLOAD........................................" \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
"......................................................................................................................." \
| nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check default
echo
echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET /../../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check forbidden
echo
echo "---- directory attack 2 (/../ should be /)"
rm -f /tmp/lwscap
echo -e "GET /../ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check default
echo
echo "---- directory attack 3 (/./ should be /)"
rm -f /tmp/lwscap
echo -e "GET /./ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check default
echo
echo "---- directory attack 4 (/blah/.. should be /)"
rm -f /tmp/lwscap
echo -e "GET /blah/.. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check default
echo
echo "---- directory attack 5 (/blah/../ should be /)"
rm -f /tmp/lwscap
echo -e "GET /blah/../ HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check default
echo
echo "---- directory attack 6 (/blah/../. should be /)"
rm -f /tmp/lwscap
echo -e "GET /blah/../. HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check default
echo
echo "---- directory attack 7 (/%2e%2e%2f../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET /%2e%2e%2f../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check forbidden
echo
echo "---- directory attack 7 (%2f%2e%2e%2f%2e./.%2e/.%2e%2fetc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap
echo -e "GET %2f%2e%2e%2f%2e./.%2e/.%2e%2fetc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check forbidden
echo
echo "--- survived OK ---"
kill -2 $CPID
Reference in a new issue View git blame Copy permalink