Improve internal representation of requests

forensant / pakiki-core

Pākiki is an intercepting proxy designed to help penetration testers find security vulnerabilities in web or mobile applications. This repository contains the core.

https://pakikiproxy.com/

MIT License

33 stars 2 forks source link

Improve internal representation of requests #9

Open pipeline opened 3 years ago

pipeline commented 3 years ago

The underlying proxy library (elazarl/goproxy) and internal functions use the golang representation of HTTP requests/responses. These have limitations, and in particular header order (and likely capitilisation) is not maintained.

This may cause some issues where vulnerabilities cannot be tested for, or it may create confusion.

If practical, fixes should be provided upstream to the elazarl/goproxy library, or a fork should be maintained.

denandz commented 3 months ago

Ran into this same issue with glorp proxy (https://github.com/denandz/glorp/issues/23) - the underlying net/http library used by both goproxy and martian cannonicalizes headers as they're get/set from the header map (https://go.dev/src/net/http/header.go?s=1433:1473)

A solution would need to figure out a way around this Golang net/http logic :-/

pipeline commented 3 months ago

We currently have work underway on a new library for proxying which doesn't rely on Golang's HTTP implementation. A technical proof of concept is in progress, but we don't necessarily have any timeframes.