Project

General

Profile

Actions

Bug #1442

closed

HTTP URL parser

Added by Lucky b56 over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Wrong parsing by HTTP parser. The URL I have is: GET /kk/?error=The operation completed successfully&code=0 HTTP/1.0
It takes space as url and http protocol separation. The decoded structure is:
"http": {
"hostname": "installs.ws",
"url": "/kk/?error=The",
"http_user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64; SV1; Acoo Browser; Avant Browser; Avant Browser; SlimBrowser)",
"http_content_type": "text/html",
"connection": "keep-alive",
"content_length": "568",
"content_type": "text/html; charset=ISO-8859-1",
"date": "Wed, 04 Mar 2015 15:05:39 GMT",
"server": "nginx/1.5.13",
"http_refer": "vi74mm4d.info",
"http_method": "GET",
"protocol": "operation completed successfully&code=0 HTTP/1.0",
"status": "200",
"length": 568,
"tx_id": 0
}

I'm using 2.1beta3

Actions #1

Updated by Victor Julien over 6 years ago

I think suri/libhtp may be correct here, as the HTTP rfc's don't allow spaces in the URI. Can you confirm the server parses the uri correctly?

Actions #2

Updated by Lucky b56 over 6 years ago

Yes. It's a malware trying to communicate with their custom HTTP server I believe.

Actions #3

Updated by Anoop Saldanha over 6 years ago

Lucky b56 wrote:

Yes. It's a malware trying to communicate with their custom HTTP server I believe.

It's more like custom server, rather than custom HTTP server. It's just that the protocol is very similar to HTTP.

Actions #4

Updated by Victor Julien over 6 years ago

Are you able to share a pcap either in the ticket or privately?

Actions #5

Updated by Lucky b56 over 6 years ago

Unfortunately I don't have a pcap. You can close this issue now.

Actions #6

Updated by Victor Julien over 6 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF