Expand description
HTTP request-line differential tricks: exotic methods (WebDAV, CalDAV, cache-private), method case/whitespace tricks, version strings (HTTP/0.9, HTTP/1.99, HTTP/2.0-on-h1-wire), absolute-form URI (RFC 7230 §5.3.2), asterisk-form, authority-form. HTTP request-line differential encoders.
Almost every byte of the request line — the first three tokens of an HTTP/1.x request — has some WAF parser that misreads it. This module produces request lines that one parser accepts as the benign request the WAF expects, while a different parser further down the chain reinterprets them.
- Method tricks. Exotic methods (WebDAV:
PROPFIND,LOCK,MERGE; CalDAV:REPORT; private:PURGE,CONNECT). Some WAFs hard-allowGET/POST/PUTonly — others allow anything but apply no rules to “weird” methods. - Method case + whitespace.
GeT /foo,GET\t/foo,GET /foo(multiple spaces),GET<TAB>/foo<TAB>HTTP/1.1. RFC says ONE space; some parsers fold runs of whitespace. - Version tricks.
HTTP/0.9(response has no headers — some WAFs don’t classify),HTTP/1.99,HTTP/2.0(mismatched version vs transport), no version at all (HTTP/0.9-style). - URI forms. RFC 7230 §5.3 allows four request-target forms:
origin-form(/path),absolute-form(http://host/path),authority-form(host:port— only for CONNECT),asterisk-form(*— only for OPTIONS). Most WAFs assume origin-form; passing absolute-form is a classic auth/path-bypass trick.
Constants§
- REQUEST_
LINE_ TRICKS - Returns the list of every request-line trick exposed by this module, used by the integration test as a registry to assert none was forgotten.
Functions§
- absolute_
uri_ https_ request_ line - Same as
absolute_uri_request_linebut with HTTPS scheme. - absolute_
uri_ request_ line - Produce request-line bytes where the URI is rendered in absolute-form (RFC 7230 §5.3.2).
- asterisk_
form_ request_ line - Asterisk-form request target. RFC 7230 §5.3.4 — only valid for
OPTIONS *. Some WAFs reject; some pass without rule application. - authority_
form_ request_ line - Authority-form request target (
host:port). RFC 7230 §5.3.3 — only valid forCONNECT. A WAF that seesCONNECT internal:8080and the upstream proxy that accepts it can be tricked into tunneling to private addresses. - exotic_
methods - Generate every method variant that has a known parser-discrepancy in some WAF, expressed as one possible first-token-of-request-line.
- request_
line_ with_ version - Build a request line using a specific HTTP version string. Some
parsers honor
HTTP/0.9(no headers, no status line on response). Some acceptHTTP/2.0as a version on the wire even when the transport is HTTP/1.1. - request_
line_ with_ whitespace - Render a request line with non-standard whitespace between the three tokens.