🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
DemoInstallSign in
Socket

httpinsert

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

httpinsert

HTTPInsert - Inserting payloads into all sections of HTTP requests

3.2.2
PyPI
Maintainers
1

HTTPInsert

A library written for finding insertion points in HTTP requests and injecting payloads.

  • Disclaimer
  • About
  • Installation
  • Example usage
  • Custom insertion points
  • Todo

Disclaimer

  • This is considered to be a beta release, and may contain bugs and unintentional behavior. Consider yourself warned!

About

HTTPInsert is a library written for finding insertion points in HTTP requests and injecting palyoads.

There are countless scanners parsing for insertion points in their own unique way, some better than others. This is my attempt at making a simple to use library for finding and handling insertion points, making it easier to create new and awesome vulnerabilitiy scanners.

Installation

python3 -m pip install httpinsert

Example usage

from httpinsert import Location, requests_request
from httpinsert.insertion_points import InsertionPoint, find_insertion_points
from requests import Request

requests_req = Request("GET","https://example.com/endpoint?param=value&other=param")

httpinsert_request = requests_request(requests_req)

insertion_points = find_insertion_points(httpinsert_request,default=True,location="Query") # Specifying default=True excludes multiple params such as keys

payload = "SomePayloadToInject"
for insertion_point in insertion_points:
    insertion = insertion_point.insert(payload,httpinsert_request,format_payload=True)
    resp, response_time, error = httpinsert_request.send(insertions=[insertion])
    print(resp,response_time,error,insertion.full_section) # full_section is the full section after the payload is injected. In this case full_section is the full URL.
    print(insertion.full_section == resp.request.url) # True

Custom insertion points

It is possible to create custom logic for finding insertion points and injecting payloads.

Here's an example of how to create a new insertion point between all dashes:

class Dashes(Location):
    def find_insertion_points(self,request):
        parsed_url = urlparse(request.url)
        path = parsed_url.path
        segments = path.split("-")
        insertion_points = []
        for c,segment in enumerate(segments):
            insertion_points.append(InsertionPoint(self,"dashes", str(c), segment))
        return insertion_points

    def insert_payload(self,request,insertion_point,payload,default_encoding):
        if default_encoding is True:
            if isinstance(payload,str):
                payload=quote(payload) # Encode the payload
            else:
                payload = [quote(i) for i in payload]
        parsed_url = urlparse(request.url)
        path = parsed_url.path
        segments = path.split("-")
        if int(insertion_point.key) == len(segments):
            path+=payload
        else:
            segments[int(insertion_point.key)] = payload
            path = "-".join(segments)
        url = urlunparse(parsed_url._replace(path=path))
        request.url=url
        return request,request.url

Dashes() # Important to create the object to include this object in the list of custom insertion points

Todo

  • Properly handle errors
  • Add more content types such as multipart
  • Add support of converting between content types
  • Multiple TODO's are scattered around the code, these will be addressed some time in the future.
  • Consider writing a custom JSON parsing library
  • Consider writing a cusom XML parsing library

Keywords

python

FAQs

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts