Check for postParams with single null value

USArmyResearchLab / Dshell

Dshell is a network forensic analysis framework.

Other

5.44k stars 1.14k forks source link

Check for postParams with single null value #116

Closed amm3 closed 4 years ago

amm3 commented 4 years ago

I noticed a fairly common condition where base64 text was passed as HTTP post data, wherein the utility function URLDataToParameterDict would return a single element dictionary with a null value. This seems to occur when the base64 text is a null terminated string ending in a = character:

>>> postParams = util.URLDataToParameterDict('A=\0')
>>> postParams
{'A': '\x00'}

This was causing errors in the display of POST parameters and generally not useful in context of this decoder.

amm3 commented 4 years ago

Tacking on an additional commit to the DNS decoder, adding SOA record type handling and some minor code cleanup.

dev195 commented 4 years ago

Thanks for the update. I'm surprised we didn't notice that httpdump bug sooner.