T-Reqs-HTTP-Fuzzer (Two Requests) is a grammar-based HTTP Fuzzer written as a part of the paper titled “T-Reqs: HTTP Request Smuggling with Differential Fuzzing” which was presented at ACM CCS 2021.
T-Reqs is for fuzzing HTTP servers by sending mutated HTTP requests with versions 1.1 and earlier. It has three main components: 1) generating inputs, 2) mutating generated inputs and 3) delivering them to the target server(s).
A CFG grammar fed into the fuzzer is used to generate HTTP requests. As the example grammar shown below is tailored for request line fuzzing, every request line component and possible values for each of them are explicitly specified. This allows us to generate valid requests with various forms of request line and also to treat each request line component as a separate unit from the mutation perspective.
”:
[”],
”:
[”],
”:
[”],
”:
[‘GET’, ‘HEAD’, ‘POST’, ‘PUT’, ‘DELETE’, ‘CONNECT’, ‘OPTIONS’, ‘TRACE’, ‘PATCH’],
”:
[‘ ‘],
”:
[‘/URI‘],
”:
[‘HTTP’],
”:
[‘/’],
”:
[‘0.9’, ‘1.0’, ‘1.1’],
”:
[‘\r\n’],
”:
[‘Host: HOST\r\nConnection:close\r\nX-Request-ID: REQUEST_ID\r\n’],
”:
[‘Content-Length: 5\r\n\r\nBBBBBBBBBB’],
Mutating Inputs
Each component can be marked in two ways: string mutable and tree mutable (see the example configuration). If a component is string mutable, then a random character can be deleted, replaced, or inserted at a random position. In the example shown below (left side), the last character in the protocol version (1) is deleted, the third letter in the method name (S) is replaced with R, and a forward slash is inserted at the beginning of the URI. Whereas, if a component is tree mutable, then a random component can be deleted, replaced, or inserted at a random position under that component. The example below (right side) shows three tree mutations applied on the request line component: 1) method is replaced by protocol, 2) an extra URI is inserted after the current URI, and 3) the existing proto is deleted.
Usage
The fuzzer should be informed about the user preferences about the generation and mutation of inputs. More specifically, the input grammar, the mutable components, mutation preferences among other things should be specified in the configuration file (see an example configuration).
To be able to reproduce the inputs generated and mutated in each iteration, a seed number is used. In fact, this seed number serves as a seed for random number generations during the formation and mutation of an input. Depending on how these seeds are fed into the fuzzer, it runs in one of these two modes: individual and collective. In the individual mode, inputs are generated and mutated based on the seeds specified by a user. In the command below, a single seed (i.e., 505) is specified. Alternatively, a list of seeds could be specified with -f option (see help page for more).
python3 main.py -i -c config -s 505
Whereas, in the collective mode (which is default), it starts from zero as the seed value and increments it in each iteration until the end number is reached. The beginning and end numbers can be customized.
python3 main.py -c config
Using for Finding HRS discrepancies
HTTP Request Smuggling relies on different body parsing behaviors between servers where one server uses Transfer-Encoding header while the other prefers Content-Length header to decide the boundaries of a request body, or one server ignores a request body, whereas the other one processes it.
To analyze the body parsing of servers in response to various mutations in various forms of an HTTP request, we need to have a feedback mechanism installed on those servers to tell us about the body parsing behavior. One way of installing a feedback mechanism on a server, is to run the server in the reverse-proxy mode and have it forward requests to a “feedback provider” script running as a service. This service measures the length of the body in received requests and saves it for comparing it later with other servers.
An example “feedback provider” script is available in this repository. However, this script sends the body length information back in a response assuming that this information is stored on the client side.