App-DubiousHTTP
view release on metacpan or search on metacpan
bin/dubious_http.pl view on Meta::CPAN
#!/usr/bin/perl
use strict;
use warnings;
use Getopt::Long qw(:config posix_default bundling);
use App::DubiousHTTP::Tests;
use App::DubiousHTTP::Tests::Common;
use App::DubiousHTTP::TestServer;
use Data::Dumper;
sub usage {
print STDERR "ERROR: @_\n" if @_;
print STDERR <<USAGE;
Test various behaviors of browsers, IDS... by working as a
web server or alternativly creating pcaps with dubios HTTP.
See --mode doc for details about the tests.
Help: $0 -h|--help
Test descriptions: $0 -M|--mode doc
Export Pcaps: $0 -M|--mode pcap [options]
Use as HTTP server: $0 -M|--mode server [options] ip:port
Options for server mode:
--cert cert.pem SSL certificate if SSL should be used. It will listen for
SSL and plain requests on the same address.
--key key.pem Key for SSL certificate
--no-garble-url Use clear names for URL's instead of the default garbled
names which were introduced to defer simple URL filters.
Logging will be done always with the clear names.
--no-track-header Disable logging of header information for requests, which
are used to analyze the origin and path of the request in
more detail.
--fast-feedback Don't collect all results and send them at once at the end
but send parts of the output earlier so that the recipient
needs to collect them. This saves memory in the client too.
--wwwroot D basedir for own payloads, default ./static
See below for how to setup your own payload
Options for pcap mode:
--file F write all TCP streams to single pcap file F
--prefix P one stream per pcap file, files prefixed with P
--manifest M write mapping between source port and URL to M
--filter-any filter based on existing reports from server mode.
All remaining args are considered reports and a stream will
be included if at least one report shows a match.
This is the default if arguments are given.
--filter-all Like --filter-any, but include stream only if all reports
show a match.
Setting up your own payload:
The default payload for evasion tests is the EICAR test virus which gets served
as ZIP file eicar.zip and if this gets not detected as plain TXT file eicar.txt.
To verify that the firewall does not block innocent files novirus.txt is used.
All of these payloads are builtin.
It is possible to setup own payload as following:
1. Reserve a directory for the payload files.
The default is ./static but an alternative can be specified with --wwwroot
2. Add your own payloads to this directory as files which contain HTTP header
(without status line) and body. If the header line "X-Virus: ..." is given
the file is considered a malicious payload (like EICAR) and otherwise the
payload is considered innocent. Example:
bin/dubious_http.pl view on Meta::CPAN
$conn->write(1, $_ );
}
print $manifest join(" | ",@manifest),"\n" if $manifest;
undef $pc if !$pcap;
}
}
die Dumper($include) if $include && %$include;
}
############################ work as server
sub serve {
my ($addr,$sslargs) = @_;
my %iscat = map { $_->ID => 1 } App::DubiousHTTP::Tests->categories;
App::DubiousHTTP::TestServer->run($addr, $sslargs, sub {
my ($path,$listen,$rqhdr,$payload,$ssl) = @_;
if ($path =~m{\A/submit_(details|results|part)/([^/]+)(?:/(\d+))?}
&& defined $payload) {
my ($what,$id,$part) = ($1,$2,$3);
$rqhdr .= $payload;
$rqhdr =~s{( /[=-][A-Za-z0-9_\-]+={0,2} )}{ ungarble_url($1) }eg;
$rqhdr =~s{^}{ }mg;
my $body = '';
print STDERR $rqhdr;
if ($what ne 'part') {
$body = "<!doctype html>"
."<h1>Thanks for providing us with the feedback.</h1>";
}
return "HTTP/1.1 200 ok\r\nContent-type: text/html\r\n".
"X-ID: $path\r\n".
"Content-length: ".length($body)."\r\n\r\n".
$body;
}
local $BASE_URL = "http://$listen";
my $tmp = $path;
my ($auto,$src,$manifest,$testnum,$cat,$page,$spec);
my $qstring = $tmp =~s{\?(.*)}{} ? $1 : '';
if ($tmp =~s{^ /+ (?:
(?:auto(js|img|html|xhr|)) |
((?:raw)?src) |
(manifest) |
(\d+)
)}{}x) {
($auto,$src,$manifest,$testnum) = ($1,$2,$3,$4);
}
if (defined $testnum) {
($cat,$spec) = split('/',App::DubiousHTTP::Tests::Common->num2path($testnum));
$page = $tmp =~s{^/+([^/]+)}{} ? $1:'';
} else {
$cat = $tmp =~s{^/+([^/]+)}{} ? $1:'';
$page = $tmp =~s{^/+([^/]+)}{} ? $1:'';
$tmp =~s{^/+}{};
$spec = $tmp;
}
0 and do {
use Data::Dumper;
warn Dumper({
auto => $auto,
src => $src,
manifest => $manifest,
testnum => $testnum,
cat => $cat,
page => $page,
spec => $spec,
});
};
if ($manifest) {
return App::DubiousHTTP::Tests->manifest(
$cat,$page,$spec,$qstring,$rqhdr);
}
if (defined $auto && ($iscat{$cat} || $cat eq 'all')) {
return App::DubiousHTTP::Tests->auto(
$auto || 'xhr',$cat,$page,$spec,$qstring,$rqhdr)
}
if ( $page eq 'ALL' && $cat ) {
for ( App::DubiousHTTP::Tests->categories ) {
return $_->make_index_page(undef,$spec,$rqhdr)
if $_->ID eq $cat;
}
}
if ( $page && $cat ) {
for ( App::DubiousHTTP::Tests->categories ) {
$_->ID eq $cat or next;
my @content;
for ( $_->TESTS ) {
$_->ID eq $spec or next;
@content = $_->make_response($page,undef,$rqhdr);
last;
}
@content = $_->make_response($page,$spec,$rqhdr) if ! @content;
if (!$src) {
return @content;
} elsif ($src eq 'rawsrc') {
my $content = join('',@content);
return "HTTP/1.0 200 ok\r\n".
"Content-type: application/octet-stream\r\n".
"Content-Disposition: attachment; filename=\"$cat+$page+$spec\"\r\n".
"Content-length: ".length($content)."\r\n\r\n".$content;
} else {
for (@content) {
s{([\x00-\x1f\\<>\x7f-\xff])}{
$1 eq "\\" ? "\\\\" :
$1 eq "\r" ? "\\r" :
$1 eq "\t" ? "\\t" :
$1 eq "\n" ? "\\n\n" :
$1 eq "<" ? "<" :
$1 eq ">" ? ">" :
sprintf("\\x%02x",ord($1))
}esg;
}
( run in 1.568 second using v1.01-cache-2.11-cpan-39bf76dae61 )