{% extends "frame.html" %} {% block body %}

Pathoc is a perverse HTTP daemon designed to let you craft almost any conceivable HTTP request, including ones that creatively violate the standards. HTTP requests are specified using a small, terse language, which pathod shares with its server-side twin pathod. To view pathoc's complete range of options, use the command-line help:

pathoc --help

The basic pattern for pathoc commands is as follows:

pathoc hostname request [request ...]

That is, we specify the hostname to connect to, followed by one or more requests. Lets start with a simple example:

> pathoc google.com get:/
<< 301 Moved Permanently: 219 bytes

Here, we make a GET request to the path / on port 80 of google.com. Pathoc's output tells us that the server responded with a 301. We can tell pathoc to connect using SSL, in which case the default port is changed to 443 (you can over-ride the default port with the -p command-line option):

> pathoc -s google.com get:/
<< 301 Moved Permanently: 219 bytes

There are two ways to tell pathoc to issue multiple requests. The first is to specify them on the command-line, like so:

> pathoc google.com get:/ get:/
<< 301 Moved Permanently: 219 bytes
<< 301 Moved Permanently: 219 bytes

In this case, pathoc issues the specified requests over the same TCP connection - so in the above example only one connection is made to google.com

The other way to issue multiple requets is to use the -n flag:

> pathoc -n 2 google.com get:/
<< 301 Moved Permanently: 219 bytes
<< 301 Moved Permanently: 219 bytes

The output is identical, but two separate TCP connections are made to the upstream server. These two specification styles can be combined:

> pathoc -n 2 google.com get:/ get:/
<< 301 Moved Permanently: 219 bytes
<< 301 Moved Permanently: 219 bytes
<< 301 Moved Permanently: 219 bytes
<< 301 Moved Permanently: 219 bytes

Here, two distinct TCP connections are made, with two requests issued over each.

The combination of pathoc's powerful request specification language and a few of its command-line options makes for quite a powerful basic fuzzer. Here's an example:

> pathoc -t 2 -n 1000 localhost get:/:b@10:ir,@1

The request specified here is a valid GET with a body consisting of 10 random bytes, but with 1 random byte inserted in a random place. This could be in the headers, in the initial request line, or in the body itself. Corrupting the request in this way will often make the server enter a state where it's awaiting more input from the client. This is where the -t option comes in, which sets a timeout that causes pathoc to disconnect after two seconds. Finally, the -n option tells pathoc to repeat the request 1000 times.

At the moment, pathoc has no explicit support for proxies, but there's a workaround that serves many use cases. Instead of specifying just a path, specify an entire URL to the GET request, like so (assuming there's a proxy running on port 8080 of localhost):

> pathoc -p 8080 localhost "get:'http://google.com'"

Proxy support is going to be a major focus of development for the next version of pathoc, so keep an eye on the repo.

{% endblock %}