NAME

App::DubiousHTTP - test security systems with dubious HTTP

DESCRIPTION

While HTTP is defined in RFC2616 (HTTP/1.1) the specification does not address every tiny detail. This makes browsers behave similar for the usual HTTP traffic, but they differ in behavior regarding unusual or invalid traffic.

The same interpretation problems can be seen in security systems, e.g. Intrusion Detection Systems (IDS), proxies or firewalls. Thus differences in the interpretation of HTTP leave enough room for circumventing these security systems.

This module contains predefined tests to generate dubious HTTP responses. The distribution contains also a script dubious_http.pl which can be used as an HTTP server to serve these dubious HTTP responses. It can alternatively be used to generate pcap-Files containing the dubious HTTP traffic, which instead of life traffic can be fed for analysis into IDS systems.

If used as a webserver several bulk-tests are available which feature automatic firewall evasion tests and HTTP conformance tests using XMLHttpRequest, script and img tags.

Right now the following major tests groups are defined:

Tests with Transfer-Encoding chunked: These tests have shown a variety of differences among browsers and IDS regarding the use of chunked encoding. For example they differ, if Transfer-Encoding chunked is specified within an HTTP/1.0 response (chunked is defined for HTTP/1.1 only) or if not specified as "chunked", but as "chunked xx" or similar.
Tests with Compression Using Content-Encoding and Transfer-Encoding: Various compression schemas, invalid schemas, combining schemas etc get tested. These tests show a wide variety of behavior among browsers, firewalls and IDS.
Variations on Content-Length: This includes duplicate headers, contradicting headers, headers featuring MIME comments, line folding and much more.
Various Broken HTTP-Headers: These are tests featuring invalid status codes or use of status code outside of its normal context, fancy variations of white-space, HTTP version numbers, invalid characters and much more.
Tests with MIME: The interpretation of multipart MIME-Messages differs a lot between browsers. While some don't interprete multipart messages at all, others simply take the last part and some even interprete Content-Transfer-Encoding information.
Tests with Range Header: These tests check the behavior, if the server sends only partial responses back, even if the client did not ask for partial response. With luck the client tries to resume starting with the given position.

AUTHOR

Steffen Ullrich, 2013..2015

COPYRIGHT

This code is copyright by Steffen Ullrich.

It can be freely used and modified both non-commercially and commercially as long as it is clearly provided, who the original author of the code was and a link to the authors public repository of this code is provided. For this it is sufficient to include author and repository information into the usual product documentation together similar to the licenses of other third party components.

To install App::DubiousHTTP, copy and paste the appropriate command in to your terminal.

cpanm

cpanm App::DubiousHTTP

CPAN shell

perl -MCPAN -e shell
install App::DubiousHTTP

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

DESCRIPTION

SEE ALSO

AUTHOR

COPYRIGHT

Module Install Instructions