2015-06-22 13:12:20 +00:00
|
|
|
{% extends "docframe.html" %} {% block body %}
|
2012-06-23 23:14:54 +00:00
|
|
|
<div class="page-header">
|
2015-06-22 13:12:20 +00:00
|
|
|
<h1>
|
2012-06-23 23:14:54 +00:00
|
|
|
pathoc
|
|
|
|
<small>A perverse HTTP client.</small>
|
|
|
|
</h1>
|
|
|
|
</div>
|
2012-06-23 22:18:20 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
Pathoc is a perverse HTTP daemon designed to let you craft almost any conceivable
|
|
|
|
HTTP request, including ones that creatively violate the standards. HTTP requests
|
|
|
|
are specified using a
|
|
|
|
<a href="/docs/language">small, terse language</a>, which pathod shares with
|
|
|
|
its server-side twin <a href="/docs/pathod">pathod</a>. To view pathoc's complete
|
|
|
|
range of options, use the command-line help:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2012-08-07 11:19:48 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<pre class="terminal">pathoc --help</pre>
|
2012-06-23 22:18:20 +00:00
|
|
|
|
2012-07-30 09:12:42 +00:00
|
|
|
<section>
|
|
|
|
<div class="page-header">
|
2015-06-22 13:12:20 +00:00
|
|
|
<h1>Getting Started</h1>
|
2012-07-30 09:12:42 +00:00
|
|
|
</div>
|
2015-04-18 05:04:24 +00:00
|
|
|
|
2012-08-07 11:19:48 +00:00
|
|
|
<p>The basic pattern for pathoc commands is as follows: </p>
|
|
|
|
|
|
|
|
<pre class="terminal">pathoc hostname request [request ...]</pre>
|
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
That is, we specify the hostname to connect to, followed by one or more requests.
|
|
|
|
Lets start with a simple example:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<pre class="terminal">
|
|
|
|
> pathoc google.com get:/ << 301 Moved Permanently: 219 bytes
|
|
|
|
</pre>
|
|
|
|
|
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
Here, we make a GET request to the path / on port 80 of google.com. Pathoc's output
|
|
|
|
tells us that the server responded with a 301. We can tell pathoc to connect
|
|
|
|
using SSL, in which case the default port is changed to 443 (you can over-ride
|
|
|
|
the default port with the <b>-p</b> command-line option):
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<pre class="terminal">
|
|
|
|
> pathoc -s google.com get:/ << 301 Moved Permanently: 219 bytes
|
|
|
|
</pre>
|
2012-07-30 09:12:42 +00:00
|
|
|
</section>
|
|
|
|
|
|
|
|
|
2012-09-25 23:21:40 +00:00
|
|
|
<section>
|
|
|
|
<div class="page-header">
|
2015-06-22 13:12:20 +00:00
|
|
|
<h1>Multiple Requests</h1>
|
2012-09-25 23:21:40 +00:00
|
|
|
</div>
|
2015-04-18 05:04:24 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
|
|
|
There are two ways to tell pathoc to issue multiple requests. The first is to specify
|
|
|
|
them on the command-line, like so:
|
|
|
|
</p>
|
2012-09-25 23:21:40 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<pre class="terminal">
|
|
|
|
> pathoc google.com get:/ get:/ << 301 Moved Permanently: 219 bytes <<
|
|
|
|
301 Moved Permanently: 219 bytes
|
|
|
|
</pre>
|
2012-09-25 23:21:40 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
In this case, pathoc issues the specified requests over the same TCP connection -
|
|
|
|
so in the above example only one connection is made to google.com
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2015-04-18 05:04:24 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>The other way to issue multiple requets is to use the <b>-n</b> flag:</p>
|
2012-09-25 23:21:40 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<pre class="terminal">
|
|
|
|
> pathoc -n 2 google.com get:/ << 301 Moved Permanently: 219 bytes << 301
|
|
|
|
Moved Permanently: 219 bytes
|
|
|
|
</pre>
|
2012-09-25 23:21:40 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
The output is identical, but two separate TCP connections are made to the upstream
|
|
|
|
server. These two specification styles can be combined:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2012-09-25 23:21:40 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<pre class="terminal">
|
|
|
|
> pathoc -n 2 google.com get:/ get:/ << 301 Moved Permanently: 219 bytes <<
|
|
|
|
301 Moved Permanently: 219 bytes << 301 Moved Permanently: 219 bytes <<
|
|
|
|
301 Moved Permanently: 219 bytes
|
|
|
|
</pre>
|
2012-09-25 23:21:40 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>Here, two distinct TCP connections are made, with two requests issued over each.</p>
|
2012-09-25 23:21:40 +00:00
|
|
|
</section>
|
|
|
|
|
|
|
|
|
2012-07-30 09:12:42 +00:00
|
|
|
<section>
|
|
|
|
<div class="page-header">
|
2015-06-22 13:12:20 +00:00
|
|
|
<h1>Basic Fuzzing</h1>
|
2012-07-30 09:12:42 +00:00
|
|
|
</div>
|
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
The combination of pathoc's powerful request specification language and a few of
|
|
|
|
its command-line options makes for quite a powerful basic fuzzer. Here's
|
|
|
|
an example:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2012-08-07 11:19:48 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<pre class="terminal">
|
|
|
|
> pathoc -e -I 200 -t 2 -n 1000 localhost get:/:b@10:ir,@1
|
|
|
|
</pre>
|
2012-08-07 11:19:48 +00:00
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
The request specified here is a valid GET with a body consisting of 10 random bytes,
|
|
|
|
but with 1 random byte inserted in a random place. This could be in the headers,
|
|
|
|
in the initial request line, or in the body itself. There are a few things
|
|
|
|
to note here:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2012-11-16 02:00:15 +00:00
|
|
|
|
|
|
|
<ul>
|
2015-06-22 13:12:20 +00:00
|
|
|
<li>
|
2015-06-26 09:47:39 +00:00
|
|
|
Corrupting the request in this way will often make the server enter a state where
|
|
|
|
it's awaiting more input from the client. This is where the
|
|
|
|
<b>-t</b> option comes in, which sets a timeout that causes pathoc to
|
|
|
|
disconnect after two seconds.
|
2015-06-22 13:12:20 +00:00
|
|
|
</li>
|
|
|
|
|
|
|
|
<li>
|
|
|
|
The <b>-n</b> option tells pathoc to repeat the request 1000 times.
|
|
|
|
</li>
|
|
|
|
|
|
|
|
<li>
|
2015-06-26 09:47:39 +00:00
|
|
|
The <b>-I</b> option tells pathoc to ignore HTTP 200 response codes.
|
|
|
|
You can use this to fine-tune what pathoc considers to be an exceptional
|
|
|
|
condition, and therefore log-worthy.
|
2015-06-22 13:12:20 +00:00
|
|
|
</li>
|
|
|
|
|
|
|
|
<li>
|
2015-06-26 09:47:39 +00:00
|
|
|
The <b>-e</b> option tells pathoc to print an explanation of each logged
|
|
|
|
request, in the form of an expanded pathoc specification with all random
|
|
|
|
portions and automatic header additions resolved. This lets you precisely
|
|
|
|
replay a request that triggered an error.
|
2015-06-22 13:12:20 +00:00
|
|
|
</li>
|
2012-11-16 02:00:15 +00:00
|
|
|
</ul>
|
2012-08-07 11:19:48 +00:00
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<div class="page-header">
|
2015-06-22 13:12:20 +00:00
|
|
|
<h1>Interacting with Proxies</h1>
|
2012-08-07 11:19:48 +00:00
|
|
|
</div>
|
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
|
|
|
Pathoc has a reasonably sophisticated suite of features for interacting with proxies.
|
2015-06-26 09:47:39 +00:00
|
|
|
The proxy request syntax very closely mirrors that of straight HTTP, which
|
|
|
|
means that it is possible to make proxy-style requests using pathoc without
|
|
|
|
any additional syntax, by simply specifying a full URL instead of a simple
|
|
|
|
path:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2012-08-07 11:19:48 +00:00
|
|
|
|
|
|
|
<pre class="terminal">> pathoc -p 8080 localhost "get:'http://google.com'"</pre>
|
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
Another common use case is to use an HTTP CONNECT request to probe remote servers
|
|
|
|
via a proxy. This is done with the <b>-c</b> command-line option,
|
|
|
|
which allows you to specify a remote host and port pair:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2013-01-05 07:46:31 +00:00
|
|
|
|
|
|
|
<pre class="terminal">> pathoc -c google.com:80 -p 8080 localhost get:/</pre>
|
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
|
|
|
Note that pathoc does <b>not</b> negotiate SSL without being explictly instructed
|
2015-06-26 09:47:39 +00:00
|
|
|
to do so. If you're making a CONNECT request to an SSL-protected resource,
|
|
|
|
you must also pass the <b>-s</b> flag:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
2013-01-05 07:46:31 +00:00
|
|
|
|
|
|
|
<pre class="terminal">> pathoc -sc google.com:443 -p 8080 localhost get:/</pre>
|
2012-07-30 09:12:42 +00:00
|
|
|
</section>
|
|
|
|
|
|
|
|
|
2015-04-18 05:04:24 +00:00
|
|
|
<section>
|
|
|
|
<div class="page-header">
|
2015-06-22 13:12:20 +00:00
|
|
|
<h1>Embedded response specification</h1>
|
2015-04-18 05:04:24 +00:00
|
|
|
</div>
|
|
|
|
|
2015-06-22 13:12:20 +00:00
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
One interesting feature of the Request sppecification language is that you can embed
|
|
|
|
a response specifcation in it, which is then added to the request path. Here's
|
|
|
|
an example:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<pre class="terminal">> pathoc localhost:9999 "get:/p/:s'401:ir,@1'"</pre>
|
|
|
|
|
|
|
|
<p>
|
2015-06-26 09:47:39 +00:00
|
|
|
This crafts a request that connects to the pathod server, and which then crafts a
|
|
|
|
response that generates a 401, with one random byte embedded at a random
|
|
|
|
point. The response specification is parsed and expanded by pathoc, so you
|
|
|
|
see syntax errors immediately. This really becomes handy when combined with
|
|
|
|
the <b>-e</b> flag to show the expanded request:
|
2015-06-22 13:12:20 +00:00
|
|
|
</p>
|
|
|
|
|
|
|
|
<pre class="terminal">
|
|
|
|
> > pathoc -e localhost:9999 "get:/p/:s'401:ir,@1'" >> Spec: get:/p/:s'401:i15,\'o\':h\'Content-Length\'=\'0\'':h'Content-Length'='0'
|
|
|
|
<< 401 Unoauthorized: 0 bytes </pre>
|
|
|
|
|
2015-06-26 09:47:39 +00:00
|
|
|
<p>
|
|
|
|
Note that the embedded response has been resolved <i>before</i> being sent
|
|
|
|
to the server, so that "ir,@1" (embed a random byte at a random location)
|
|
|
|
has become "i15,\'o\'" (embed the character "o" at offset 15). You now have
|
|
|
|
a pathoc request specification that is precisely reproducable, even with
|
|
|
|
random components. This feature comes in terribly handy when testing a proxy,
|
|
|
|
since you can now drive the server repsonse completely from the client, and
|
|
|
|
have a complete log of reproducible requests to analyse afterwards.
|
|
|
|
</p>
|
2015-04-18 05:04:24 +00:00
|
|
|
</section>
|
|
|
|
{% endblock %}
|