Bug #1442
closedHTTP URL parser
Description
Wrong parsing by HTTP parser. The URL I have is: GET /kk/?error=The operation completed successfully&code=0 HTTP/1.0
It takes space as url and http protocol separation. The decoded structure is:
"http": {
"hostname": "installs.ws",
"url": "/kk/?error=The",
"http_user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64; SV1; Acoo Browser; Avant Browser; Avant Browser; SlimBrowser)",
"http_content_type": "text/html",
"connection": "keep-alive",
"content_length": "568",
"content_type": "text/html; charset=ISO-8859-1",
"date": "Wed, 04 Mar 2015 15:05:39 GMT",
"server": "nginx/1.5.13",
"http_refer": "vi74mm4d.info",
"http_method": "GET",
"protocol": "operation completed successfully&code=0 HTTP/1.0",
"status": "200",
"length": 568,
"tx_id": 0
}
I'm using 2.1beta3
Updated by Victor Julien almost 10 years ago
I think suri/libhtp may be correct here, as the HTTP rfc's don't allow spaces in the URI. Can you confirm the server parses the uri correctly?
Updated by Lucky b56 almost 10 years ago
Yes. It's a malware trying to communicate with their custom HTTP server I believe.
Updated by Anoop Saldanha almost 10 years ago
Lucky b56 wrote:
Yes. It's a malware trying to communicate with their custom HTTP server I believe.
It's more like custom server, rather than custom HTTP server. It's just that the protocol is very similar to HTTP.
Updated by Victor Julien almost 10 years ago
Are you able to share a pcap either in the ticket or privately?
Updated by Lucky b56 almost 10 years ago
Unfortunately I don't have a pcap. You can close this issue now.