Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passive mode fails to parse http request responses: Could not read raw response .. malformed HTTP status code ... #2068

Closed
nil0x42 opened this issue May 25, 2022 · 1 comment · Fixed by #2192
Closed

Passive mode fails to parse http request responses: Could not read raw response .. malformed HTTP status code ... #2068

nil0x42 opened this issue May 25, 2022 · 1 comment · Fixed by #2192
Assignees
@Mzack9999
Labels
Priority: Medium This issue may be useful, and needs some attention. Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Milestone
v2.7.4

Comments

@nil0x42
Copy link

nil0x42 commented May 25, 2022

Nuclei version:

2.7.1

Current Behavior:

nuclei passive mode completely fails to parse HTTP response if response body contains HTTP/1.1 string somewhere else.

Expected Behavior:

nuclei should correctly parse http responses.
when not possible, it should at least try to extract possible responses and match templates among all possibilities.

Steps To Reproduce:

I wrote a simple pastebin file here: https://pastebin.com/raw/TYsVwM0n, who can help reproduce the issue.

  1. run proxify in a terminal
  2. in other terminal, run curl --insecure -x 127.0.0.1:8888 'https://pastebin.com/raw/TYsVwM0n' to ask proxify to write the HTTP request/response file
  3. a file like ./logs/pastebin.com*.txt has now been created by proxify
  4. run nuclei -passive -target ./logs/pastebin.com*.txt

Nuclei sees a HTTP/1.1 in the body, completely stops considering the first (legitimate) HTTP/1.1, and displays the same error thousands time:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] Found 2293 templates with runtime error (use -validate flag for further examination)
[INF] Using Nuclei Engine 2.7.1 (latest)
[INF] Using Nuclei Templates 9.0.2 (latest)
[INF] Templates added in last update: 24
[INF] Templates loaded for scan: 1038
[ERR] Could not read raw response pastebin.com:443-ca74m3uc7jlsd5a3vbp0.txt: malformed HTTP status code "FOO"
[ERR] Could not read raw response pastebin.com:443-ca74m3uc7jlsd5a3vbp0.txt: malformed HTTP status code "FOO"
[ERR] Could not read raw response pastebin.com:443-ca74m3uc7jlsd5a3vbp0.txt: malformed HTTP status code "FOO"
...
[ERR] Could not read raw response pastebin.com:443-ca74m3uc7jlsd5a3vbp0.txt: malformed HTTP status code "FOO"
[ERR] Could not read raw response pastebin.com:443-ca74m3uc7jlsd5a3vbp0.txt: malformed HTTP status code "FOO"
[ERR] Could not read raw response pastebin.com:443-ca74m3uc7jlsd5a3vbp0.txt: malformed HTTP status code "FOO"
[INF] No results found. Better luck next time!

For the record, here is the content of logs/pastebin/com*.txt on my computer:

GET /raw/TYsVwM0n HTTP/1.1
Host: pastebin.com
Accept: */*
User-Agent: curl/7.68.0

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: max-age=1800, must-revalidate
Cf-Cache-Status: MISS
Cf-Ray: 710f4cc23fa97cc5-LAX
Connection: keep-alive
Content-Type: text/plain; charset=utf-8
Date: Wed, 25 May 2022 15:28:16 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 25 May 2022 15:28:16 GMT
Pragma: no-cache
Server: cloudflare
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1;mode=block

38
line1
this is a line containing HTTP/1.1 FOO BAR
line3
0
@nil0x42 nil0x42 added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label May 25, 2022
@nil0x42
Copy link
Author

nil0x42 commented May 25, 2022

Note that this issue actually arises more frequently than one could expect.
Indeed, any phpinfo output contains this string, as well as docs about http protocol.

@ehsandeep ehsandeep added the Priority: Medium This issue may be useful, and needs some attention. label Jun 3, 2022
@Mzack9999 Mzack9999 self-assigned this Jun 21, 2022
@Mzack9999 Mzack9999 added the Status: In Progress This issue is being worked on, and has someone assigned. label Jun 21, 2022
@Mzack9999 Mzack9999 mentioned this issue Jun 21, 2022
Open
@Mzack9999 Mzack9999 linked a pull request Jun 21, 2022 that will close this issue
Improving RFC request/response passive parsing #2192
Merged
4 tasks
@Mzack9999 Mzack9999 added Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: In Progress This issue is being worked on, and has someone assigned. labels Jun 21, 2022
@ehsandeep ehsandeep added Status: Completed Nothing further to be done with this issue. Awaiting to be closed. and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed labels Jul 11, 2022
@ehsandeep ehsandeep added this to the v2.7.4 milestone Jul 18, 2022
@ggranjus ggranjus mentioned this issue Aug 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mzack9999 Mzack9999

Labels
Priority: Medium This issue may be useful, and needs some attention. Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
v2.7.4
Development

Successfully merging a pull request may close this issue.

Improving RFC request/response passive parsing projectdiscovery/nuclei
3 participants
@nil0x42 @ehsandeep @Mzack9999