Fix for Delay function and Header definition#69
Open
DTBrowser wants to merge 5 commits intoassetnote:mainfrom
Open
Fix for Delay function and Header definition#69DTBrowser wants to merge 5 commits intoassetnote:mainfrom
DTBrowser wants to merge 5 commits intoassetnote:mainfrom
Conversation
Adding a description of fixes.
Extra Line added to fix Delay function.
Fix for improper header definition
Fix for improper header definition.
Importing time package.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
During my assessments, I've identified some concerning flaws with Kiterunner, which prevented me from bypassing some security solutions, like WAFs.
The first problem was that I couldn't correctly define header values in the request. There were some WAF header values that, when introduced into Kiterunner's -H flag, it would interpret the comma (,) as multiple header values and not as a single header value. This would make it impossible to define headers with comma values. I've identified that this happens because Kiterunner utilizes StringSliceVarP instead of StringArrayVarP to get header values. StringSliceVarP would interpret the comma value as CSV, separating it into multiple headers.
The second problem was with the delay function (--delay). I've identified that it doesn't matter which kind of value you input into Kiterunner; it will not have any effect. It's like it's not used at all. Well, that's actually what's happening here. Even though the delay value is retrieved from the input, it's not used when making the HTTP requests. If you look at pkg/kiterunner/kiterunner.go in the handleRequest function, specifically in routeloop, you will see that the Config.delay isn't used. To fix this, I've introduced a line of code that makes the program sleep for a while (depending on the --delay value).
That's it. Now its possible to properly define a delay and security headers.