Skip to main content

Module request_line

Module request_line 

Source
Expand description

HTTP request-line differential tricks: exotic methods (WebDAV, CalDAV, cache-private), method case/whitespace tricks, version strings (HTTP/0.9, HTTP/1.99, HTTP/2.0-on-h1-wire), absolute-form URI (RFC 7230 §5.3.2), asterisk-form, authority-form. HTTP request-line differential encoders.

Almost every byte of the request line — the first three tokens of an HTTP/1.x request — has some WAF parser that misreads it. This module produces request lines that one parser accepts as the benign request the WAF expects, while a different parser further down the chain reinterprets them.

  • Method tricks. Exotic methods (WebDAV: PROPFIND, LOCK, MERGE; CalDAV: REPORT; private: PURGE, CONNECT). Some WAFs hard-allow GET/POST/PUT only — others allow anything but apply no rules to “weird” methods.
  • Method case + whitespace. GeT /foo, GET\t/foo, GET /foo (multiple spaces), GET<TAB>/foo<TAB>HTTP/1.1. RFC says ONE space; some parsers fold runs of whitespace.
  • Version tricks. HTTP/0.9 (response has no headers — some WAFs don’t classify), HTTP/1.99, HTTP/2.0 (mismatched version vs transport), no version at all (HTTP/0.9-style).
  • URI forms. RFC 7230 §5.3 allows four request-target forms: origin-form (/path), absolute-form (http://host/path), authority-form (host:port — only for CONNECT), asterisk-form (* — only for OPTIONS). Most WAFs assume origin-form; passing absolute-form is a classic auth/path-bypass trick.

Constants§

REQUEST_LINE_TRICKS
Returns the list of every request-line trick exposed by this module, used by the integration test as a registry to assert none was forgotten.

Functions§

absolute_uri_https_request_line
Same as absolute_uri_request_line but with HTTPS scheme.
absolute_uri_request_line
Produce request-line bytes where the URI is rendered in absolute-form (RFC 7230 §5.3.2).
asterisk_form_request_line
Asterisk-form request target. RFC 7230 §5.3.4 — only valid for OPTIONS *. Some WAFs reject; some pass without rule application.
authority_form_request_line
Authority-form request target (host:port). RFC 7230 §5.3.3 — only valid for CONNECT. A WAF that sees CONNECT internal:8080 and the upstream proxy that accepts it can be tricked into tunneling to private addresses.
exotic_methods
Generate every method variant that has a known parser-discrepancy in some WAF, expressed as one possible first-token-of-request-line.
request_line_with_version
Build a request line using a specific HTTP version string. Some parsers honor HTTP/0.9 (no headers, no status line on response). Some accept HTTP/2.0 as a version on the wire even when the transport is HTTP/1.1.
request_line_with_whitespace
Render a request line with non-standard whitespace between the three tokens.