Support for Unstructured HTTP Headers

seanmonstar / reqwest

An easy and powerful Rust HTTP Client

https://docs.rs/reqwest

Apache License 2.0

9.75k stars 1.1k forks source link

Support for Unstructured HTTP Headers #1857

Open knassar702 opened 1 year ago

knassar702 commented 1 year ago

Greetings team,

I'm currently working on a project intended for security professionals, and I've come across a requirement where we need to send HTTP requests in an unstructured format. This functionality would allow users to construct requests similar to the following example:

GET / HTTP/1.1
  Host: hello.com
Host: attacker.com
HeaderWithoutValue

as host header injection (as described in this informative resource: Host Header Injection). Additionally, it can help detect if the application is running in Debug mode or enable the identification of potential issues related to HTTP request smuggling (as explained here: HTTP Request Smuggling).

For more detailed information and context, please refer to the following GitHub issue: BugBlocker/lotus #136.

seanmonstar commented 1 year ago

It sounds like you want the ability to send headers that are incorrectly formatted on purpose, to probe servers, is that right? Part of hyper's goals is to strictly enforce things that would be illegal.

knassar702 commented 1 year ago

Hello @seanmonstar, I wanted to discuss the possibility of incorporating a feature in the Hyper project that would cater to the needs of security professionals within the DevOps lifecycle (like this one). Specifically, this feature would allow them to scan the application before deploying it. But I understand that this may not align with Hyper's primary goals, and I respect that.

Before proceeding with forking the project, I would like to inquire whether it would be acceptable for us, as the Lotus team, to add this feature ourselves in the forked version Your input on this matter would be greatly appreciated.

Best regards @knassar702

seanmonstar commented 1 year ago

Well, so, there is some precedent that hyper allows enabling options for things that the specs now say "please don't ever do this, but legacy software may exist". So, in that sense, it could be acceptable. If you wanted to put together a design document outlining how to do this, and pitch it on the hyperium/hyper repo, we could consider it. I'm sympathetic to allowing hyper be more flexible, as long as it's safe by default.

cn-kali-team commented 4 months ago

https://github.com/emo-crab/slinger A client specifically developed for security researchers

https://github.com/emo-crab/slinger/blob/main/examples/smuggling.rs

knassar702 commented 4 months ago

Good job @cn-kali-team :clap: thank you

seanmonstar commented 4 months ago

Oh, I understand what you're looking for now. I think this PR would do it: https://github.com/hyperium/hyper/pull/3417