From 49b2c744e83b7de545d6897b8a8d838919deb5c5 Mon Sep 17 00:00:00 2001 From: Tom Hudson Date: Mon, 14 Aug 2017 11:33:51 +0000 Subject: [PATCH] Adds lists, disables Opaque suffix --- lists/configfiles | 98 ++++++++++++++++++++++++--------------------- lists/crlfinjection | 9 +++++ lists/openredirects | 12 ++++++ req.go | 4 +- 4 files changed, 75 insertions(+), 48 deletions(-) create mode 100644 lists/crlfinjection create mode 100644 lists/openredirects diff --git a/lists/configfiles b/lists/configfiles index b040611..046f41c 100644 --- a/lists/configfiles +++ b/lists/configfiles @@ -1,60 +1,66 @@ -/phpunix.xml -/php.php -/phpinfo.php -/phptest.php -/test.php -/README.mkd -/README.txt -/README.md -/README.html -/README -/readme.mkd -/readme.txt -/readme.md -/readme.html -/readme +/.babelrc +/.bash_history +/.bashrc /build.xml -/Makefile +/circle.yml /composer.json /composer.lock +/CVS/Entries +/CVS/Root +/Dockerfile +/.dockerignore +/.editorconfig +/.git/config +/.git/HEAD /.gitignore -/Gulpfile -/Gruntfile.js +/gruntfile.coffee /Gruntfile.coffee /gruntfile.js -/gruntfile.coffee -/phpunix.xml -/php.php -/phpinfo.php -/phptest.php -/test.php -/LICENSE -/LICENSE.md -/LICENSE.txt +/Gruntfile.js +/Gulpfile +/gulpfile.js +/Gulpfile.js +/.hg +/.htaccess +/.htpasswd +/Jenkinsfile +/.jestrc /license +/LICENSE /license.md +/LICENSE.md /license.txt -/.bash_history -/.bashrc +/LICENSE.txt +/Makefile +/mkdocs.yml +/npm-debug.log +/.npmignore +/npm-shrinkwrap.json +/package.json +/phpinfo.php +/php.php +/phptest.php +/phpunit.xml /.profile -/.git/config -/.git/HEAD -/.svn/entries +/readme +/README +/readme.html +/README.html +/readme.md +/README.md +/readme.mkd +/README.mkd +/readme.txt +/README.txt /robots.txt -/webpack.config.js -/yarn.lock -/.travis.yml +/.svn/entries +/.swp +/tags +/test.php /Thumbs.db -/npm-debug.log +/.travis.yml +/tsconfig.json +/webpack.config.js /yarn-debug.log /yarn-error.log -/npm-shrinkwrap.json -/Dockerfile -/tags -/.babelrc -/.npmignore -/.jestrc -/.hg -/.swp -/CVS/Root -/CVS/Entries +/yarn.lock diff --git a/lists/crlfinjection b/lists/crlfinjection new file mode 100644 index 0000000..f45f8b0 --- /dev/null +++ b/lists/crlfinjection @@ -0,0 +1,9 @@ +/%0aSet-Cookie:crlf=injection +/%250aSet-Cookie:crlf=injection +/%25250aSet-Cookie:crlf=injection +/%%0a0aSet-Cookie:crlf=injection +/%3f%0dSet-Cookie:crlf=injection +/%23%0dSet-Cookie:crlf=injection +/%25%30aSet-Cookie:crlf=injection +/%25%30%61Set-Cookie:crlf=injection +/%u000aSet-Cookie:crlf=injection diff --git a/lists/openredirects b/lists/openredirects new file mode 100644 index 0000000..7b4c840 --- /dev/null +++ b/lists/openredirects @@ -0,0 +1,12 @@ +/http://example.com +/%5cexample.com +/%2f%2fexample.com +/http:/example.com +/?url=http://example.com&next=http://example.com&redirect=http://example.com +/?url=//example.com&next=//example.com&redirect=//example.com +/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com +/redirect?url=http://example.com&next=http://example.com&redirect=http://example.com +/redirect?url=//example.com&next=//example.com&redirect=//example.com +/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com +/.example.com +///\;@example.com diff --git a/req.go b/req.go index 90e74ae..35cb7a8 100644 --- a/req.go +++ b/req.go @@ -23,7 +23,7 @@ var httpClient = &http.Client{ func httpRequest(method, prefix, suffix string) (response, error) { - req, err := http.NewRequest(method, prefix, nil) + req, err := http.NewRequest(method, prefix+suffix, nil) if err != nil { return response{}, err } @@ -32,7 +32,7 @@ func httpRequest(method, prefix, suffix string) (response, error) { // Because we sometimes want to send some fairly dodgy paths, // like /%%0a0afoo for example, we need to set the path on // req.URL's Opaque field where it won't be parsed or encoded - req.URL.Opaque = suffix + //req.URL.Opaque = suffix // It feels super nasty doing this, but some sites act differently // when they don't recognise the user agent. E.g. some will just