print special character

.gitignore

@@ -0,0 +1,4 @@
+go.sum
+httpclient
+httpcustomhouse
+httpoverride

Makefile

@@ -8,4 +8,7 @@ build.httpoverride:
 	@echo "build in ${PWD}";go build -o httpoverride cmd/httpoverride/main.go
 
 build.httpclient:
-	@echo "build in ${PWD}";go build -o httpclient cmd/httpclient/main.go
+	@echo "build in ${PWD}";go build -o httpclient cmd/httpclient/main.go
+
+all:
+	@echo "build in ${PWD}";go build -o httpclient cmd/httpclient/main.go;go build -o httpoverride cmd/httpoverride/main.go;go build -o httpcustomhouse cmd/httpcustomhouse/main.go

README.md

@@ -27,9 +27,10 @@ HTTP request smuggling is a technique for interfering with the way a web site pr
 * `curl`, go http client, `ncat`, `openssl s_client` aren't fully satisfying especially when dealing with "malformed http request"
 
 **Real examples:**
-* [Forge `TE.CL` request smuggling attack](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#analyze-tecl-request-treatment)
-* [Forge `CL.TE` request smuggling attack](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#analyze-clte-request-treatment)
-* [Exploit `CL.TE`](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#exploiting-http-request-smuggling-to-reveal-front-end-request-rewriting)
+* [Forge `TE.CL` request smuggling attack](./EXAMPLES.md#analyze-tecl-request-treatment)
+* [Forge `CL.TE` request smuggling attack](./EXAMPLES.md#analyze-clte-request-treatment)
+* [Exploit `CL.TE`](./EXAMPLES.md#exploiting-http-request-smuggling-to-reveal-front-end-request-rewriting) [[2](./EXAMPLES.md#exploiting-http-request-smuggling-to-bypass-front-end-security-controls-clte-vulnerability)] [[3](./EXAMPLES.md#exploiting-http-request-smuggling-to-deliver-reflected-xss-clte)]
+* [Exploit `TE.CL`](./EXAMPLES.md#exploiting-http-request-smuggling-to-bypass-front-end-security-controls-tecl-vulnerability)
 
 
 ## Usage

cmd/httpclient/main.go

@@ -8,7 +8,6 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
-	"strings"
 
 	"github.com/ariary/HTTPCustomHouse/pkg/client"
 	"github.com/ariary/HTTPCustomHouse/pkg/config"
@@ -87,8 +86,7 @@ func main() {
 		if cfg.Verbose {
 			fmt.Println(color.MagentaForeground("------------------------ SEND:"))
 			if cfg.Debug {
-				reqDebug := strings.ReplaceAll(string(rawRequest), "\r", color.Green("\\r"))
-				reqDebug = strings.ReplaceAll(reqDebug, "\n", color.Green("\\n\n"))
+				reqDebug := parser.ReplaceSpecialCharacters(rawRequest)
 				fmt.Println(reqDebug)
 			} else {
 				fmt.Println(string(rawRequest)) // raw request ~ request.GetRawRequest(cfg.Request)
@@ -117,8 +115,7 @@ func main() {
 			if cfg.Verbose {
 				fmt.Println("--------------------- SEND:")
 				if cfg.Debug {
-					reqDebug := strings.ReplaceAll(string(rawRequest), "\r", color.Green("\\r"))
-					reqDebug = strings.ReplaceAll(reqDebug, "\n", color.Green("\\n\n"))
+					reqDebug := parser.ReplaceSpecialCharacters(rawRequest)
 					fmt.Println(reqDebug)
 				} else {
 					fmt.Println(string(rawRequest)) // raw request ~ request.GetRawRequest(cfg.Request)

cmd/httpcustomhouse/main.go

@@ -13,10 +13,11 @@ import (
 )
 
 const usage = `Usage of httpcustomhouse:
-  -r, --residues display residues of the request not treated by the custom officer
-  -cl, --Content-Length stop request treatment according to Content-Length header value
-  -te, --Transfer-Encoding stop request treatment according to chunked encoding
-  -h, --help prints help information 
+  -r, --residues              display residues of the request not treated by the custom officer
+  -cl, --Content-Length       stop request treatment according to Content-Length header value
+  -te, --Transfer-Encoding    stop request treatment according to chunked encoding
+  -d, --debug                 display special characters (\r and \n) 
+  -h, --help                  prints help information 
 `
 
 // /!\ request contain \r\n\r\n characters, when editing w/ vscode for example this character are
@@ -35,6 +36,10 @@ func main() {
 	var isTE bool
 	flag.BoolVar(&isTE, "Transfer-Encoding", false, "stop request treatment according to chunked encoding")
 	flag.BoolVar(&isTE, "te", false, "stop request treatment according to chunked encoding")
+	//-d
+	var debug bool
+	flag.BoolVar(&debug, "debug", false, "Display with special character")
+	flag.BoolVar(&debug, "d", false, "Display request with special character")
 	flag.Usage = func() { fmt.Print(usage) }
 	flag.Parse()
 
@@ -54,11 +59,19 @@ func main() {
 
 	// Print header
 	for h, v := range httpHeader {
-		fmt.Printf("%s: %s\n", h, v[0]) //TODO handle where multiple value are found for a specific header
+		headerLine := h + ": " + v[0] + "\n"
+		if debug {
+			headerLine = parser.ReplaceSpecialCharacters([]byte(headerLine))
+		}
+		fmt.Printf(headerLine) //TODO handle where multiple value are found for a specific header
 	}
 
 	// /!\ bodyB include \r\n to end headers section
-	fmt.Print("\r\n")
+	separeHeaderAndBody := "\r\n"
+	if debug {
+		separeHeaderAndBody = parser.ReplaceSpecialCharacters([]byte(separeHeaderAndBody))
+	}
+	fmt.Print(separeHeaderAndBody)
 	bodyB = bodyB[2:]
 
 	if isTE { //TE custom house
@@ -67,31 +80,55 @@ func main() {
 		sTransferEncoding := httpHeader.Get("Transfer-encoding")
 		if sTransferEncoding == "chunked" {
 			bodyTE, residueB := parser.FilterWithChunkEncoding(bodyB)
-			fmt.Print(string(bodyTE))
+			bodyTEStr := string(bodyTE)
+			if debug {
+				bodyTEStr = parser.ReplaceSpecialCharacters(bodyTE)
+			}
+			fmt.Print(bodyTEStr)
 			if residue {
-				fmt.Fprintf(os.Stderr, color.Magenta(string(residueB)))
+				residueStr := string(residueB)
+				if debug {
+					residueStr = parser.ReplaceSpecialCharacters(residueB)
+				}
+				fmt.Fprintf(os.Stderr, color.Magenta(residueStr))
 			}
 		} else {
-			fmt.Print(string(bodyB))
+			bodyStr := string(bodyB)
+			if debug {
+				bodyStr = parser.ReplaceSpecialCharacters(bodyB)
+			}
+			fmt.Print(bodyStr)
 		}
 	} else { //CL custom house
 		// Get Content-Length value
 		sContentLength := httpHeader.Get("Content-Length")
 		if sContentLength == "" {
+			bodyStr := string(bodyB)
+			if debug {
+				bodyStr = parser.ReplaceSpecialCharacters(bodyB)
+			}
 			//fmt.Fprintf(os.Stderr, "Content-Length not found")
-			fmt.Print(string(bodyB)) //Print whole request
+			fmt.Print(bodyStr) //Print whole request
 		} else {
 			contentLength, err := strconv.Atoi(sContentLength)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Failed to convert Content-Length: %s", err)
 			}
 
 			bodyCL, residueB, difference := parser.FilterWithContentLength(contentLength, bodyB)
-			fmt.Print(string(bodyCL))
+			bodyCLStr := string(bodyCL)
+			if debug {
+				bodyCLStr = parser.ReplaceSpecialCharacters(bodyCL)
+			}
+			fmt.Print(bodyCLStr)
 			if difference > 0 {
 				fmt.Fprintln(os.Stderr, color.Yellow("\nMissing ", difference, " bytes in body"))
 			} else if residue {
-				fmt.Fprintf(os.Stderr, color.Magenta(string(residueB)))
+				residueStr := string(residueB)
+				if debug {
+					residueStr = parser.ReplaceSpecialCharacters(residueB)
+				}
+				fmt.Fprintf(os.Stderr, color.Magenta(residueStr))
 			}
 
 		}

pkg/parser/parser.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/ariary/HTTPCustomHouse/pkg/request"
 	"github.com/ariary/HTTPCustomHouse/pkg/response"
+	"github.com/ariary/go-utils/pkg/color"
 )
 
 //Parse a request to retrieve headers and body
@@ -175,3 +176,10 @@ func ParseResponse(reqMethod string, url string, resp string) (response response
 
 	return response, err
 }
+
+//ReplaceSpecialCharacters: replace special characters in a given string (bytes) to make them visible
+func ReplaceSpecialCharacters(rawWithSpecial []byte) (strWithoutSpecial string) {
+	strWithoutSpecial = strings.ReplaceAll(string(rawWithSpecial), "\r", color.Green("\\r"))
+	strWithoutSpecial = strings.ReplaceAll(strWithoutSpecial, "\n", color.Green("\\n\n"))
+	return strWithoutSpecial
+}