{"id":19544862,"url":"https://github.com/ariary/httpcustomhouse","last_synced_at":"2025-04-26T19:31:47.266Z","repository":{"id":50491124,"uuid":"454696836","full_name":"ariary/HTTPCustomHouse","owner":"ariary","description":"HTTP request smuggling attack helper/CLI tools to manipulate HTTP packets","archived":false,"fork":false,"pushed_at":"2022-09-23T07:51:19.000Z","size":2364,"stargazers_count":35,"open_issues_count":1,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-04T17:11:42.373Z","etag":null,"topics":["bug-bounty","burp","cli","http-client","http-request-smuggling","infosec","learning","pentest-tool","request-smuggling","security","websecurity"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-02-02T08:33:27.000Z","updated_at":"2025-03-24T02:29:50.000Z","dependencies_parsed_at":"2022-08-25T08:02:42.521Z","dependency_job_id":null,"html_url":"https://github.com/ariary/HTTPCustomHouse","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHTTPCustomHouse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHTTPCustomHouse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHTTPCustomHouse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FHTTPCustomHouse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/HTTPCustomHouse/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251041425,"owners_count":21527192,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","burp","cli","http-client","http-request-smuggling","infosec","learning","pentest-tool","request-smuggling","security","websecurity"],"created_at":"2024-11-11T03:32:39.742Z","updated_at":"2025-04-26T19:31:46.925Z","avatar_url":"https://github.com/ariary.png","language":"Go","readme":"# HTTPCustomHouse\n\n\u003cdiv align=center\u003e\n\u003cimg src= https://github.com/ariary/HTTPCustomHouse/blob/main/img/E0D8F573-7824-42C1-BF6B-F58E5F14DB0E.png width=180\u003e\n\n\u003cbr\u003e\u003cstrong\u003e\u003ci\u003eCLi tools helping to forge  HTTP smuggling attack and others \u003c/i\u003e\u003c/strong\u003e\n\n\n\u003cb\u003e(\u003ccode\u003ehttpcustomhouse\u003c/code\u003e)\u003c/b\u003e\u003cbr\u003e\nAnalyze smuggled request without interacting with remote server. \u003csup\u003e\u003ci\u003e\u003ca href=#%EF%B8%8F-httpcustomhouse\u003e(use it)\u003c/a\u003e\u003c/i\u003e\u003c/sup\u003e\n\n\u003cb\u003e(\u003ccode\u003ehttpoverride\u003c/code\u003e)\u003c/b\u003e\u003cbr\u003e\nManipulate HTTP raw request to sharpen attack. \u003csup\u003e\u003ci\u003e\u003ca href=#-httpoverride\u003e(use it)\u003c/a\u003e\u003c/i\u003e\u003c/sup\u003e\n\n\u003cb\u003e(\u003ccode\u003ehttpclient\u003c/code\u003e)\u003c/b\u003e\u003cbr\u003e\nSend HTTP raw request to perform the attack . \u003csup\u003e\u003ci\u003e\u003ca href=#-httpclient\u003e(use it)\u003c/a\u003e\u003c/i\u003e\u003c/sup\u003e\n\n👁️ \u003cstrong\u003e•\u003c/strong\u003e 🔨 \u003cstrong\u003e•\u003c/strong\u003e 📬\n\u003c/div\u003e \n\nHTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests ([more]()). The aim is to **perform request smuggling from command line**. It can't totally replace Burp Suite (or other GUI) but it proposes another approach, with more CLi. In order to offer a fully CLi experience while manipulating HTTP packets, these tools can be used with **[`httpecho`](https://github.com/ariary/httpecho)** which could help construct HTTP raw request. \n\n**Why That?**\n\n* To learn\n* Be able to solve challenge from CLi helps us to script resolution, automate exploit etc ...\n* `curl`, go http client, `ncat`, `openssl s_client` aren't fully satisfying especially when dealing with \"malformed http request\"\n\n**Real examples:**\n* [Forge `TE.CL` request smuggling attack](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#analyze-tecl-request-treatment)\n* [Forge `CL.TE` request smuggling attack](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#analyze-clte-request-treatment)\n* [Exploit `CL.TE`](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#exploiting-http-request-smuggling-to-reveal-front-end-request-rewriting) [[2](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#exploiting-http-request-smuggling-to-bypass-front-end-security-controls-clte-vulnerability)] [[3](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#exploiting-http-request-smuggling-to-deliver-reflected-xss-clte)]\n* [Exploit `TE.CL`](https://github.com/ariary/HTTPCustomHouse/blob/main/EXAMPLES.md#exploiting-http-request-smuggling-to-bypass-front-end-security-controls-tecl-vulnerability)\n\n\n## Usage\n\n### 👁️ `httpcustomhouse`\n\n*\u003e allow you to reproduce HTTP request processing without interacting with online server*\n\n**Show corresponding request treated by a server based on `Content-Length` Header treatment**:  \n```shell\ncat samples/te.cl | httpcustomhouse -cl\n```\nIf the `Content-Length` is larger than the body size, the number of remaining bytes will be echoed\n\n**Show corresponding request treated by a server based on chunk encoding treatment**:\n```shell\ncat samples/cl.te | httpcustomhouse -te\n```\n\n**Show the residue of the request that has not been treated** (in stderr):\n```shell\ncat samples/cl.te | httpcustomhouse -te -r\n# -r (or --residue) works also for -cl\n```\n\nDemo: [ (🖼️) Visualize `TE.CL` ](https://github.com/ariary/HTTPCustomHouse/blob/main/img/hch.png)\n\n### 🔨 `httpoverride`\n\n*\u003e help to modify http request*\n\n**Override/Modify Header of an HTTP request**:\n```shell\ncat [raw_request] | httpoverride -H \"Content-Length:55\" -A \"Host: spoofed.com\"\n# -A add header, -H override header\n\n```\n**Remove Header of an HTTP request**:\n```shell\ncat [raw_request] | httpoverride -H \"Accept:\" # or -H \"Accept\"\n```\n\n\n### 📬 `httpclient`\n*\u003e transmit HTTP request to server (HTTP client)*\n\n**Send a HTTP raw request**:\n```shell\ncat [raw_request] | httpclient [protocol]:[url]:[port]  # port is falcultative https -\u003e 443, http -\u003e 80\n```\n\n**Send request and see response in browser**:\n```shell\ncat [raw_request] | httpclient -B [protocol]:[url]:[port]  # -Bc use cookie for future requests in browser\n# Open browser and visit the link displayed\n```\n\n## Install\n```shell\n# From Release:\ncurl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpcustomhouse \u0026\u0026 chmod +x httpcustomhouse\ncurl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpoverride \u0026\u0026 chmod +x httpoverride\ncurl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpclient \u0026\u0026 chmod +x httpclient\n# With go:\ngo install github.com/ariary/HTTPCustomHouse/cmd/httpcustomhouse@latest\ngo install github.com/ariary/HTTPCustomHouse/cmd/httpclient@latest\ngo install github.com/ariary/HTTPCustomHouse/cmd/httpoverride@latest\n```\n\n\n## *\"HTTP Request Smuggling\"* Kezako?\n\nHTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests. It was discover in 2005, and repopularized by PortSwigger's research.\n\nIt happends when users send requests to a front-end server (load balancer or reverse proxy) and this server forwards requests to one or more back-end servers.\n\nWhen the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection (efficient and performant). The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins. **HTTP request smugging consist of luring backend server in its HTTP request parsing to make requests getting interpreted differently by the front-end and back-end systems** (failed to adequatly determine begins \u0026 ends of requets)\n\n\nWe have 3 possibilities:\n* **CL.TE**: Front end uses `Content-Length` header and the back end uses `Transfer-Encoding`\n* **TE.CL**: Front end: `Transfer-Encoding`, back end: `Content-Length`. (Fake `Content-Length`)\n* **TE.TE**: Both server use `Transfer-Encoding` but one of those can be induced to not process it by obfuscating the header in some way\n\n\n## Building HTTP request\n\nAs `httpcustomhouse` uses raw HTTP request as input you need to be able to construct it. There are several ways:\n* Intercept request with `burp`, `mitmproxy` and save it to a file\n* Use curl and an HTTP [`echo-server`](https://github.com/ariary/httpecho) to see sent request and save it to a file ***(SUGGESTED)***\n* Take inspiration from the templates present in `samples` directory\n\n**⚠️**: It is important to embed `\\r` character and other special characaters in your request file. Edit request with an editor could withdraw them. use `cat -A` to see them. For example, in chunk encoding the final `0` must be followed by `\\r\\n\\r\\n`. \n\n### Use echo server\n\n**First**, set up an [echo server](https://github.com/ariary/httpecho):\n```shell\nhttpecho -d raw\n# will save request in \"raw\" file\n``` \n\nAnd then Make your `curl` request specifying your echo server as a proxy (the request won't reach the end server):\n```shell\ncurl --proxy http://localhost:[port] ...REQUEST...\n```\n\n#### Alternatives\n##### `Socat`\n\nConstantly server + see `\\r` character\n\nThe one-liner:\n```shell\nsocat -v -v TCP-LISTEN:8888,crlf,reuseaddr,fork SYSTEM:\"echo HTTP/1.0 200; echo Content-Type\\: text/plain; echo; cat\"\n```\n\n##### `netcat`\n\nServe 1 request + save it in a file\n\nThe one-liner:\n```shell\nnc -lp 8888 -c \"tee myfile\"\n## or nc -nlvp 8888 \u003e myfile  2\u003e/dev/null \u0026\n```\n\n\n## Send raw HTTP request\n\nAs we deal with HTTP raw request we must be able to send them. `httpclient` is the equivalent of **`curl` for raw request**.\n\n**Why?**\n* `curl` \u0026 go http client rewrite http request (this is not satisfying for web pentest in general)\n* `ncat` and `openssl s_client` aren't fully satisfying also\n\n```shell\ncat [raw_request] | httpclient https://[URL]:[PORT]\n```\n\n### Alternatives\nWhen you request is good, send it:\n```Shell\ncat [raw_request] | openssl s_client -ign_eof -connect [target_url]:443\n#or use ncat from nmap package\ncat [raw_request]| ncat --ssl [target_url] 443\n# or if target does not use tls/ssl\ncat [raw_request] | nc -q 5 [target_url] 80 # or -w 5\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fhttpcustomhouse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Fhttpcustomhouse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fhttpcustomhouse/lists"}