Show HN: The HTTP Garden – A Parser Vulnerability Research Tool https://ift.tt/daGe6Z5

Show HN: The HTTP Garden – A Parser Vulnerability Research Tool I wrote this tool during an internship at Narf Industries in 2023. It's a REPL that allows for quickly developing, testing, and fuzzing for HTTP request smuggling attack payloads. I started the internship having never worked with web servers, and have now found over 100 HTTP implementation bugs. I attribute this mostly to the ease of experimentation in the Garden. REPL-oriented fuzzing is just a really good interface for finding parsing bugs. It's pretty neat to able to run a differential fuzzer, categorize and display all the discovered discrepancies, then let a human pick through them and interact with fuzz targets to test whether the bugs are exploitable. Some notable server combinations in which we discovered new request smuggling attacks include Google Cloud <-> Node.js, Akamai <-> Node.js, [almost anything] <-> LiteSpeed, and OpenBSD relayd <-> [anything]. We also found an infinite loop DoS in Cesanta Mongoose that affects all configurations, and a null pointer dereference that can crash any OpenBSD httpd server that uses FastCGI. https://ift.tt/F68KAVn February 6, 2024 at 01:18AM