From 2f5792a2261938ffb59d81c0e8d789025d7b9234 Mon Sep 17 00:00:00 2001 From: javi Date: Tue, 31 Dec 2019 16:26:04 +0100 Subject: [PATCH 1/2] ignore crlf until request line --- src/wfuzz/externals/reqresp/Request.py | 9 ++++- src/wfuzz/externals/reqresp/Response.py | 6 +++- tests/test_req_parse.py | 45 +++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 2 deletions(-) diff --git a/src/wfuzz/externals/reqresp/Request.py b/src/wfuzz/externals/reqresp/Request.py index cc08240e..4b77540f 100644 --- a/src/wfuzz/externals/reqresp/Request.py +++ b/src/wfuzz/externals/reqresp/Request.py @@ -447,8 +447,15 @@ def parseRequest(self, rawRequest, prot="http"): self.setUrl(prot + "://" + self._headers["Host"] + pathTMP) - pd = "" + # ignore CRLFs until request line + while tp.lastline == '' and tp.readLine(): + pass + # TODO: hacky, might need to change tp.readline returning read bytes instead + pd = "" + if tp.lastFull_line: + pd += tp.lastFull_line + while tp.readLine(): pd += tp.lastFull_line diff --git a/src/wfuzz/externals/reqresp/Response.py b/src/wfuzz/externals/reqresp/Response.py index 9a0022f6..a8a13c7b 100644 --- a/src/wfuzz/externals/reqresp/Response.py +++ b/src/wfuzz/externals/reqresp/Response.py @@ -175,7 +175,11 @@ def parseResponse(self, rawheader, rawbody=None, type="curl"): else: self._headers = [] - # TODO: this might add to rawbody not directly to __content + # ignore CRLFs until request line + while tp.lastline == '' and tp.readLine(): + pass + + # TODO: this should be added to rawbody not directly to __content if tp.lastFull_line: self.addContent(tp.lastFull_line) diff --git a/tests/test_req_parse.py b/tests/test_req_parse.py index 93aa45e0..ada961ac 100644 --- a/tests/test_req_parse.py +++ b/tests/test_req_parse.py @@ -2,6 +2,37 @@ from wfuzz.fuzzobjects import FuzzRequest + +http_post_request = '''POST /slipstream/view HTTP/1.1 +Host: www +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://www +Content-Type: text/plain;charset=UTF-8 +Origin: https://www +Content-Length: 3387 +Connection: close + + + +a=1''' + + +http_get_request = '''GET /sttc/bpk-fonts/55b577a1.woff2 HTTP/1.1 +Host: js.skyscnr.com +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0 +Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Origin: https://www.skyscanner.es +Connection: close +Referer: https://js.skyscnr.com/sttc/oc-registry/components/base-stylesheet/0.1.33/build//static/css/main.e09b44e2.css + + +''' + http_response = '''HTTP/1.1 201 Created Content-Type: application/json Content-Length: 51 @@ -113,3 +144,17 @@ def test_parse_raw_multi_response(self): self.assertEqual(fr.content, "LINE_1") self.assertEqual(fr.code, 200) + + def test_parse_get_crlf_request(self): + fr = FuzzRequest() + fr.update_from_raw_http(http_get_request, "https", "\n\n\n") + + self.assertEqual(fr.method, "GET") + self.assertEqual(fr.params.raw_post, None) + + def test_parse_crlf_post_request(self): + fr = FuzzRequest() + fr.update_from_raw_http(http_post_request, "https", "\n\n\n") + + self.assertEqual(fr.method, "POST") + self.assertEqual(fr.params.post, {'a': '1'}) From d15912ae18ba623cb77a8709cd5d16ab4d2c8611 Mon Sep 17 00:00:00 2001 From: javi Date: Tue, 31 Dec 2019 16:27:15 +0100 Subject: [PATCH 2/2] bump version --- src/wfuzz/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wfuzz/__init__.py b/src/wfuzz/__init__.py index bd2a776b..07b2b688 100644 --- a/src/wfuzz/__init__.py +++ b/src/wfuzz/__init__.py @@ -1,5 +1,5 @@ __title__ = 'wfuzz' -__version__ = "2.4.3" +__version__ = "2.4.4" __build__ = 0x023000 __author__ = 'Xavier Mendez' __license__ = 'GPL 2.0'