I am doing some API requests using fsockopen() in PHP. For most APIs that works correctly, but from http://geocoding.cloudmade.com/ I get the following (RAW) response:
HTTP/1.1 200 OK
Server: nginx/0.6.35
cache-control: no-cache
Content-Type: application/json; charset=utf-8
Date: Tue, 19 Feb 2013 11:08:05 GMT
pragma: no-cache
Transfer-Encoding: chunked
Connection: close
2fb
{"found": 1, "bounds": [[52.48732, 13.42553], ...
0
My problem is that "2fb" in the first line and the "0" in the last line of the body does not tell my anything. If I send the same request via Firefox, the body does not contain a "2fb" or "0". Therefore, I guess it has some meaning. But what?
Thanks for hints!
That is chunked transfer-coding, also indicated by the Transfer-Encoding: chunked response header:
The chunked encoding modifies the body of a message in order to
transfer it as a series of chunks, each with its own size indicator,
followed by an OPTIONAL trailer containing entity-header fields. This
allows dynamically produced content to be transferred along with the
information necessary for the recipient to verify that it has
received the full message.
2fb, followed by \r\n, indicates the size of the following chunk (763 bytes). A chunk-size of 0 indicates the last chunk.
Related
I'm currently struggeling with reading one (and eventually multiple) http event streams.
I have a camera that streams events to me and I'd like to consume those events to trigger some actions.
I'm using the following code for example to open the stream:
$stream = stream_get_contents(fopen('http://IP:port/live/events?param=123¶m2=321', 'r'));
Now, when I just keep reading the stream with an echo, it times out eventually and then nothing hapens further more.
I need to be able to read the HTTP response. So I kinda have a continiously running GET request.
An example of the HTTP request is the following;
GET /live/events HTTP/1.1
Host: 192.168.1.101
Connection: keep-alive
Cookie: sid=60ab2b6b
Then a response would be;
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Thu, 01 Dec 2003 16:00:00 GMT
Connection: close
Content-Type: multipart/mixed; boundary=IPCamEventStreamBoundary
Cache: no-cache
Accept-Ranges: none
--IPCamEventStreamBoundary
Content-Type: image/jpeg
Content-Length: 498749
X-Timestamp: 1620986982002
X-Image-Index: 1
X-Frame-Id: 521699
X-Frame-Timestamp: 757030579
X-Frame-Width: 2560
X-Frame-Height: 1920
binary data
--IPCamEventStreamBoundary
Content-Type: application/json
Content-Length: 308
X-Event-Index: 1
X-Timestamp: 1620986982042
{
"DetectorVersion" : 131072,
"DetectorID" : "{6309907F-5708-47D1-B410-50F02C8882FB}",
"DetectorClassID" : -835316578,
"EventTime" : "13265460582042",
"State" : "dsSignal",
"EventCode" : 100,
"EventInfo" : {},
"EventID" : "{4F34A399-9E02-1846-ADA7-98A2798B46B9}",
"DetectorEventType" : "detSignal"
}
What I need, is to be able to capture that JSON in the body and process it. This should be a continiously running script (using the Laravel framework commands). I have multiple of such stream sources and should be able to get them all at the same time, prefered not having to have a daemon for each camera.
Anyone who has an idea on how to handle this best?
Getting response from one of the soap function php, after that sending this response as a parameter to another soap request, that time I need to extract the set-cookie from the previous response header here below my response header. I need to read set-cookie JSESSIONID element ?
HTTP/1.1 200 OK
Set-Cookie: **JSESSIONID=9A977E193F9B505B084D95C3028BAD0C.srv1816**;
Path=/webservices
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 15 Apr 2019 07:38:52 GMT
Set-Cookie: aeroID=12988141315553139361555313936504655;Path=/;
Expires=Sun, 09-Feb-2020 07:38:56 GMT
You could just read your JSESSIONID cookie like so :
First get your cookies :
import com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport
def cookieStore= HttpClientSupport.getHttpClient().getCookieStore()
Then just find the one that interest you
def cookies = cookieStore.getCookies()
def jsessionidCookie
cookies.each {
if(it.name == "JSESSIONID")
jsessionidCookie= it
}
I did R&D on prevention of CRLF injection in php, but i didn't find any solution in mycase, as I'm using a burp suite tool to inject some headers using CRLF characters like the below.
// Using my tool i put CRLF characters at the start of my request url
GET /%0d%0a%20HackedHeader:By_Hacker controller/action
//This generates an header for me like below
HackedHeader:By_Hacker
So i can modify all headers by doing just like above
This tool is just like a proxy server so it catches the request and gives the response and we can modify the response in the way we want.
So i'm just modifying the response by injecting some headers using CRLF characters. Now the Server responds to this request by injecting the CRLF characters in the response.
I'm just worried as header fields like Pragma, Cache-Control, Last-Modified can lead to cache poisoning attacks.
header and setcookie contain mitigations against response/header splitting, But these can't support me in fixing the above issue
Edit
When i request to mysite.com contact us page like below This is the request I captured in my tool like below
Request headers:
GET /contactus HTTP/1.1
Host: mysite.com
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
And i get the Response HTML for the above request
Now for the same request using the tool i'm adding custom headers just like below
Request Headers:
GET /%0d%0a%20Hacked_header:By_Hacker/contactus HTTP/1.1
Host: mysite.com
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response Headers:
HTTP/1.1 302 Found
Date: Fri, 10 Jul 2015 11:51:22 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Fri, 10 Jul 2015 11:51:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: mysite.com
Hacked_header:By_Hacker/..
Vary: Accept-Encoding
Content-Length: 2
Keep-Alive: timeout=5, max=120
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
You can see the injected header Hacked_header:By_Hacker/.. in the above response
Is there anyway in php or apache server configuration to prevent such kind of headers' hack?
Not sure why all the down votes - infact, it is an interesting question :)
I can see that you have tagged CakePHP - which means your app is using Cake Framework... Excellent! If you are using Cake 3 , it is automatically strip off : %0d%0a
Alternatively, where you receive the response header, just strip off %0d%0a and you are good!
Where things like these could be applied - a 3rd party API response or say.... a Webhook response! or a badly sanitized way to handle intl.. example : lang=en to lang=fr where the GET param is directly set as response header... That would not be a wise move!
Ideally, the responses will be as GET and not in the header but either way just strip the %0d%0a and you are good.
Answering your edit.
You can see the injected header Hacked_header:By_Hacker/.. in the above response
That injected header cannot be controlled or stopped, mate. We do not have control over what the other server does.
The question is.. What do you do with the response header?
The answer is... You sanitize it, as ndm said you need to sanitize the input.. What you get as a response IS an input. As soon as you detect %0d%0a, discard the response.
Need code work?
<?php
$cr = '/\%0d/';
$lf = '/\%0a/';
$response = // whatever your response is generated in;
$cr_check = preg_match($cr , $response);
$lf_check = preg_match($lf , $response);
if (($cr_check > 0) || ($lf_check > 0)){
throw new \Exception('CRLF detected');
}
I have this HTTP response content :
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 12 Aug 2013 15:08:10 GMT
PK�Ctemps_attente.json���n� �߅9�Bw���VU��Uߠs���^��#�CGç��ͷ�r7G�3Hnp����^pYSu\#Qo%~x��FGa�Y�ا����S���-ua���t��j-���s�%э��+,g�xq.��������t�fb� �0:)�:�K�}^�N�L����>�щ%#�̲x`C#��m݃ :^��$~�i8���WzCh�a�ă���7t�O|��AX˂��UO$���<��y"�;�'F��]��{֘Ha}F��<��l6��o벰V���66t�&��f�Ť��x�H��툗���/PKA�Y�1�PK�CA�Y�1�temps_attente.jsonPK#q
I would like to know what format is the response and how to decompile to have the final response.
I tried to use this function: http_chunked_decode but I did not succeed.
The body (or at least what appears to be the body) of the response is not chunked.
It does appear to be compressed - with HTTP this should be expressly stated in the headers,
There is no blank line between the what appears to be the headers and what appears to be the body.
If this is really the response you are getting it's not HTTP - an off-the-shelf function is not going to make sense of it.
When I send a 304 response. How will the browser interpret other headers which I send together with the 304?
E.g.
header("HTTP/1.1 304 Not Modified");
header("Expires: " . gmdate("D, d M Y H:i:s", time() + $offset) . " GMT");
Will this make sure the browser will not send another conditional GET request (nor any request) until $offset time has "run out"?
Also, what about other headers?
Should I send headers like this together with the 304:
header('Content-Type: text/html');
Do I have to send:
header("Last-Modified:" . $modified);
header('Etag: ' . $etag);
To make sure the browser sends a conditional GET request the next time the $offset has "run out" or does it simply save the old Last Modified and Etag values?
Are there other things I should be aware about when sending a 304 response header?
This blog post helped me a lot in order to tame the "conditional get" beast.
An interesting excerpt (which partially contradicts Ben's answer) states that:
If a normal response would have included an ETag header, that header must also be included in the 304 response.
Cache headers (Expires, Cache-Control, and/or Vary), if their values might differ from those sent in a previous response.
This is in complete accordance with the RFC 2616 sec 10.3.5.
Below a 200 request...
HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Thu, 18 Nov 2010 16:04:38 GMT
Content-Type: image/png
Last-Modified: Thu, 15 Oct 2009 02:04:11 GMT
Expires: Thu, 31 Dec 2010 02:04:11 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes
Content-Length: 6394
Via: 1.1 proxyIR.my.corporate.proxy.name:8080 (IronPort-WSA/6.3.3-015)
Connection: keep-alive
Proxy-Connection: keep-alive
X-Junk: xxxxxxxxxxxxxxxx
...And its optimal valid 304 counterpart.
HTTP/1.1 304 Not Modified
Server: nginx/0.8.52
Date: Thu, 18 Nov 2010 16:10:35 GMT
Expires: Thu, 31 Dec 2011 16:10:35 GMT
Cache-Control: max-age=315360000
Via: 1.1 proxyIR.my.corporate.proxy.name:8080 (IronPort-WSA/6.3.3-015)
Connection: keep-alive
Proxy-Connection: keep-alive
X-Junk: xxxxxxxxxxx
Notice that the Expires header is at most Current Date + One Year as per RFC-2616 14.21.
The Content-Type header only applies to responses which contain a body. A 304 response does not contain a body, so that header does not apply. Similarly, you don't want to send Last-Modified or ETag because a 304 response means that the document hasn't changed (and so neither have the values of those two headers).
For an example, see this blog post by Anne van Kesteren examining WordPress' http_modified function. Note that it returns either Last-Modified and ETag or a 304 response.