recentpopularlog in

whip_lash : http   22

HTTP Desync Attacks: Request Smuggling Reborn | Blog - PortSwigger
HTTP requests are traditionally viewed as isolated, standalone entities. In this paper, I'll explore forgotten techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $70k in bug bounties.
webapp  pentest  security  http  requestsmuggling 
august 2019 by whip_lash
RequestBin.com — A modern request bin to collect, inspect and debug HTTP requests and webhooks
RequestBin.com gives you a URL that collects requests you send it so you can inspect them in a human-friendly way.

Use RequestBin.com to see what your HTTP client is sending or to inspect and debug webhook requests.
api  debugging  http  requests  headers  ssrf 
june 2019 by whip_lash
GitHub - trimstray/htrace.sh: Shell script for http/https troubleshooting and profiling.
htrace.sh is a shell script for http/https troubleshooting and profiling. It's also a simple wrapper script around several open source security tools.
http  tools 
january 2019 by whip_lash
GitHub - pentesteracademy/patoolkit: PA Toolkit is a collection of traffic analysis plugins focused on security
PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

WiFi (WiFi network summary, Detecting beacon, deauth floods etc.)
HTTP (Listing all visited websites, downloaded files)
HTTPS (Listing all websites opened on HTTPS)
ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)
The project is under active development and more plugins will be added in near future.
analysis  http  network  pentesting  https  wireshark  pcap  security 
december 2018 by whip_lash
CGIProxy-- HTTP/FTP Proxy in a CGI Script
This CGI script (or other) acts as an HTTP, HTTPS, or FTP proxy. Through it, you can retrieve any resource that is accessible from the server it runs on. This is useful when your own access is limited, but you can reach a server that in turn can reach others that you can't. In addition, the user is kept as anonymous as possible from any servers. Common uses include: anonymous proxies, other personal uses, VPN-like functionality, and others. It's very simple to install, and very configurable.
http  proxy 
december 2018 by whip_lash
The headers we don't want
HTTP headers are an important way of controlling how caches and browsers process your web content. But many are used incorrectly or pointlessly, which adds overhead at a critical time in the loading of your page, and may not work as you intended. In this first of a series of posts about header best practice, we’ll look at unnecessary headers.
http  web 
may 2018 by whip_lash
mitmproxy - an interactive HTTPS proxy
mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols. You can prettify and decode a variety of message types ranging from HTML to Protobuf, intercept specific messages on-the-fly, modify them before they reach their destination, and replay them to a client or server later on.
http  mitm  proxy  python 
february 2018 by whip_lash
Internet protocols are changing | APNIC Blog
Now, significant changes to the core Internet protocols are underway. While they are intended to be compatible with the Internet at large (since they won’t get adoption otherwise), they might be disruptive to those who have taken liberties with undocumented aspects of protocols or made an assumption that things won’t change.
dns  encryption  http  tls  internet 
december 2017 by whip_lash
httpstat.us
This is a super simple service for generating different HTTP codes.

It's useful for testing how your own scripts deal with varying responses.

Just add the status code you want to the URL, like this: httpstat.us/200
http  testing  tools  webdev 
august 2017 by whip_lash
andreineculau/know-your-http-well · GitHub
HTTP headers, media types, methods, relations and status codes, all summarized and linking to their specification.
http  reference  codes 
september 2013 by whip_lash

Copy this bookmark:





to read