Offensive Thinking

Internet Thoughtcrime

New project: http2code

Posted: 2010-05-20

A new repository has been added to my github account: http2code.

It was inspired by w3af’s ability to export a raw request to a template source code file for different languages (as a matter of fact, I once wrote the Ruby export). The idea is simple: I have a raw HTTP GET or POST request, e.g. from my favourite HTTP (attack) proxy. Now quite often, I want to write a little script revolving around that request, for example for fuzzing. Previously, I always manually added the request’s content to some template code for the HTTP library du jour I hopefully still found lying around somewhere on my hard drive. Then, I started to adapt the code to my liking.

The whole “copy the raw request, insert it into source code template (if any) and reformat until it fits into what the HTTP library expects (like parsing the raw body of a POST into an associative array, for example)” is a rather dull and repetitive task better done by a script. w3af already does it quite nicely, but I wanted a simple command line tool for this.

So I wrote http2code:

Usage: http2code [options]
 -n, --newlines            Use \n as line delimiter when parsing the
                           POST request instead of \r\n
 -t, --template TEMPLATE   Use template TEMPLATE
 -b, --header-blacklist    Use header blacklist to automatically
                           remove common headers not needed
 -h, --help                Show this help

Available Templates:

It takes a raw request from stdin and parses it into JSON data structures for headers, body and the first line containing the HTTP verb and URL. If you supply a template name, it’ll just put the JSON data into the template where some placeholders are defined. Then it writes the result to stdout. Pretty simple, but it saves me a lot of time. You will still have to manually adapt the code though, it may not work right out of the box.

At the moment there’s only a typhoeus template, I plan on adding them as I need / write them.