-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature fail http to https for known status code and substrings #308
Conversation
Merge master into fork
Merge back into master
Sync master
Sync with upstream master
…ed and certain known responses are encountered indicating HTTPS should be used * Apache: HTTP/400, substring "You're speaking plain HTTP to an SSL-enabled server port" * NGINX: HTTP/400, substring "The plain HTTP request was sent to HTTPS port"
modules/http/scanner.go
Outdated
if readLen < sliceLen { | ||
sliceLen = readLen | ||
} | ||
sliceBuf := bodyText[0:sliceLen] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can replace with this sliceBuf := bodyText[:sliceLen]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @vl4deee11, just committed. I'm very slowly picking up go as you can tell :>
@dadrian what are your thoughts on this? Is it a reasonable feature to include for the http module? I've gotten a good deal of use out of it and couldn't find any alternative aside from postprocessing results and running again, forcing https for the servers that behaved this way |
poke :) |
This implements what is described in #273. If zgrab2 http was invoked with
--retry-https
, the response code to a request is 400 AND one of the three known substrings is present, consider it as a protocol failure to cause a retry as HTTPSHow to Test
Use against an nginx or Apache server that speaks HTTPS. Specify
--retry-https
and the flag implemented here (--fail-http-to-https
). Rather than storing the 400 response that suggests you retry the request as HTTPS, zgrab2 will automatically retry as HTTPSNotes & Caveats
This is not a generic solution- it's a specific workaround for specific HTTP servers- nginx and Apache. I believe that the substrings included have very good coverage for this sort of behavior based on some sample data I collected
I considered what impact this might have on performance, but I figured since the function this happens in is responsible for performing the hashing of the body the limited logic and string comparisons shouldn't be much overhead. To be on the safe side, I slice the string down to a smaller size since the sub-strings it looks for are always towards the beginning of the response
Issue Tracking
Issue #273