{"id":27125598,"url":"https://github.com/exploitworks/desyncdiver","last_synced_at":"2025-04-12T04:59:50.527Z","repository":{"id":286344396,"uuid":"961129571","full_name":"ExploitWorks/DesyncDiver","owner":"ExploitWorks","description":"A tool for detecting HTTP Request Smuggling vulnerabilities","archived":false,"fork":false,"pushed_at":"2025-04-06T14:05:33.000Z","size":22,"stargazers_count":16,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-11T01:54:49.830Z","etag":null,"topics":["bash-script","bugbounty","ctf-tools","cybersecurity","desynchronization","hacking-tool","http-desync","http-request-smuggling","http-security","penetration-testing","pentesting","protocol","protocol-attack","request-smuggling","security-testing","vulnerability-scanners","web-application-security","web-security"],"latest_commit_sha":null,"homepage":"https://reschj.one","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ExploitWorks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-04-05T20:18:24.000Z","updated_at":"2025-04-10T18:44:22.000Z","dependencies_parsed_at":"2025-04-09T17:56:48.845Z","dependency_job_id":null,"html_url":"https://github.com/ExploitWorks/DesyncDiver","commit_stats":null,"previous_names":["reschjonas/desyncdiver","exploitworks/desyncdiver"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ExploitWorks%2FDesyncDiver","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ExploitWorks%2FDesyncDiver/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ExploitWorks%2FDesyncDiver/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ExploitWorks%2FDesyncDiver/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ExploitWorks","download_url":"https://codeload.github.com/ExploitWorks/DesyncDiver/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248328108,"owners_count":21085258,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash-script","bugbounty","ctf-tools","cybersecurity","desynchronization","hacking-tool","http-desync","http-request-smuggling","http-security","penetration-testing","pentesting","protocol","protocol-attack","request-smuggling","security-testing","vulnerability-scanners","web-application-security","web-security"],"created_at":"2025-04-07T15:20:35.053Z","updated_at":"2025-04-11T01:54:53.790Z","avatar_url":"https://github.com/ExploitWorks.png","language":"Shell","readme":"# DesyncDiver\n\n**Active HTTP Desynchronization Vulnerability Scanner**\n\n```\n██████╗ ███████╗███████╗██╗   ██╗███╗   ██╗ ██████╗██████╗ ██╗██╗   ██╗███████╗██████╗ \n██╔══██╗██╔════╝██╔════╝╚██╗ ██╔╝████╗  ██║██╔════╝██╔══██╗██║██║   ██║██╔════╝██╔══██╗\n██║  ██║█████╗  ███████╗ ╚████╔╝ ██╔██╗ ██║██║     ██║  ██║██║██║   ██║█████╗  ██████╔╝\n██║  ██║██╔══╝  ╚════██║  ╚██╔╝  ██║╚██╗██║██║     ██║  ██║██║╚██╗ ██╔╝██╔══╝  ██╔══██╗\n██████╔╝███████╗███████║   ██║   ██║ ╚████║╚██████╗██████╔╝██║ ╚████╔╝ ███████╗██║  ██║\n╚═════╝ ╚══════╝╚══════╝   ╚═╝   ╚═╝  ╚═══╝ ╚═════╝╚═════╝ ╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝\n```\n\nDesyncDiver is a bash-based tool for detecting HTTP Request Smuggling (Desynchronization) vulnerabilities in web servers and proxy chains. It actively tests targets by sending specially crafted HTTP requests designed to identify parsing inconsistencies between front-end and back-end servers.\n\n## Features\n\n- **Advanced Payload Generation**: Creates and sends specially formatted HTTP requests that test for various desynchronization vulnerabilities\n- **Multiple Vulnerability Detection**: Tests for CL-TE, TE-CL, TE-TE, CL-CL and other header-based HTTP request smuggling vectors\n- **Detailed Reporting**: Generates comprehensive HTML reports with findings, recommendations, and technical details\n- **Flexible Configuration**: Customize headers, cookies, HTTP methods, and other parameters to suit your testing needs\n\n## Installation\n\nDesyncDiver requires the following dependencies:\n- bash\n- curl\n- netcat (nc)\n- openssl\n- sed\n- grep\n- awk\n\nMost Linux distributions have these tools pre-installed. If not, you can install them using your package manager:\n\n```bash\n# For Debian/Ubuntu\nsudo apt-get install bash curl netcat-openbsd openssl sed grep gawk\n\n# For RHEL/CentOS/Fedora\nsudo dnf install bash curl nc openssl sed grep gawk\n```\n\nTo install DesyncDiver:\n\n```bash\n# Clone the repository\ngit clone https://github.com/reschjonas/DesyncDiver.git\n\n# Navigate to the directory\ncd desyncdiver\n\n# Make the script executable\nchmod +x desyncdiver.sh\n```\n\n## Usage\n\nBasic usage:\n\n```bash\n./desyncdiver.sh -u https://example.com\n```\n\nAdvanced usage with options:\n\n```bash\n./desyncdiver.sh -u https://example.com -v -t 15 -o ./my-results -p http://proxy:8080 -H \"Authorization: Bearer token\" -c \"session=abc123\"\n```\n\n### Options\n\n| Option | Description |\n|--------|-------------|\n| `-u, --url \u003curl\u003e` | Target URL (required) |\n| `-o, --output \u003cdir\u003e` | Output directory for results (default: ./results) |\n| `-t, --timeout \u003csec\u003e` | Request timeout in seconds (default: 10) |\n| `-p, --proxy \u003cproxy\u003e` | Use proxy (format: http://host:port) |\n| `-c, --cookies \u003ccookies\u003e` | Cookies to include with requests |\n| `-H, --header \u003cheader\u003e` | Additional headers (can be used multiple times) |\n| `-m, --methods \u003cmethods\u003e` | HTTP methods to test (default: GET,POST) |\n| `-v, --verbose` | Enable verbose output |\n| `-h, --help` | Display help message |\n\n## Examples\n\nTest a single website with default options:\n```bash\n./desyncdiver.sh -u https://example.com\n```\n\nTest with verbose output and custom timeout:\n```bash\n./desyncdiver.sh -u https://example.com -v -t 15\n```\n\nTest with custom headers and cookies:\n```bash\n./desyncdiver.sh -u https://example.com -H \"X-Custom-Header: Value\" -c \"session=abc123\"\n```\n\n## How It Works\n\nDesyncDiver works by:\n\n1. Generating specially crafted HTTP requests with various header combinations\n2. Testing Content-Length and Transfer-Encoding header inconsistencies\n3. Analyzing server responses for anomalies or unexpected behaviors\n4. Identifying potential desynchronization vulnerabilities based on response patterns\n5. Generating detailed reports with findings and recommendations\n\n## Security Considerations\n\n- **Authorization**: Always ensure you have proper authorization before testing any website\n- **Legal Implications**: Unauthorized testing may be illegal in many jurisdictions\n- **Impact**: HTTP Request Smuggling tests can potentially disrupt service operations\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE.md file for details.\n\n## Acknowledgments\n\n- Inspired by the research on HTTP Request Smuggling by [James Kettle (PortSwigger)](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)\n- Thanks to the security community for documenting these vulnerabilities \n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexploitworks%2Fdesyncdiver","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexploitworks%2Fdesyncdiver","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexploitworks%2Fdesyncdiver/lists"}