HTTPush: web server/application audit helper
--------------------------------------------
by Lluis Mora <llmora@s21sec.com>

HTTPush aims at providing an easy way to audit web applications security by
intercepting HTTP requests and presenting them to the user for modification.

As a side effect, HTTPush can be used to audit unknown web servers looking
for implementation problems.

It's the result of too many hours spent reading port 80 tcpdump output and
piping requests through nc connected to stunnel :)

Requirements
------------

You will certainly need the following perl modules which can be downloaded
from your preferred CPAN mirror:

  module                  version
  -------------------------------
  URI                     1.10
  MIME::Base64            2.11
  LWP                     5.50
  Net::SSLeay             1.05
  Crypt::SSLeay           0.22
  HTML::Parser            3.16

HTTPush might work with previous versions of these modules although it
hasn't been tested. Specifically older SSLeay modules don't seem to work
with HTTPush.

HTTPush has been verified to work on Linux, though it should work in any
platform perl runs on.

Features
--------

- On the fly HTTP request review and modification
- Lynx, Internet Explorer and Netscape proxy support
- HTTPS support (through OpenSSL, http://www.openssl.org)
- Sticky headers and cookies
- Session recording and reviewing

Usage
-----

HTTPush works as a HTTP/HTTPS proxy that sits between the client (you) and
the remote server, so you must configure your web browser to use the host where 
HTTPush runs as the HTTP and HTTPS ("security") proxy server. 

Make sure that connections to the HTTPush host don't go through the proxy,
or you'll find it's rather amusing to check the proxy logs :)

By default, HTTPush listens on the loopback address (127.0.0.1), so
connections are allowed only through the loopback interface. If you want to
access the proxy over a network, use the -I option, effectively opening the
proxy to everybody else, so be careful.

HTTPush supports two modes, "interactive" and "learning" mode:

- "interactive" mode allows the user to inspect each request before it is
effectively sent to the user, and is the mode used when you want to do
real-time auditing of a web application.

- "learning" mode allows the user to transparently browse through a site
recording each request to file. Later these requests can be examined, edited
and replayed via the HTTP interface.

When in interactive mode, browsing through a graphics-intensive site can
result in the user getting easily lost. The "-i" option allows images and
some other special files through without the need for the user to
individually accept each request. You lose a bit of granularity but win
usability.

The optional "-f" (mandatory when in "learning" mode) allows a user to
record all requests to a file, that can be later feed to the program in
order to edit or replay them.

The "-e" option allows the user to specify some metacharacters that won't be
escaped. By default, the URI module complies with RFC 2396, escaping
characters such as "|". Some browsers and applications don't escape some of
these values, and sometimes you want to simulate that with HTTPush. If you
want to not escape, say, "|", just specify the "-e \|" option.

Accessing the log
-----------------

Accessing the logs is performed through the administrative interface, just
point your browser to the host and port where the proxy is listening.

A typical session
-----------------

Usually, you will run httpush in learning mode and will browse through the
server:

 $ httpush -p 8080 -l -d -f httpush.log

Once you have visited the parts of the application you want to audit, you
will put httpush in "interactive" mode:

  $ httpush -p 8080 -d -f httpush.log -i

And review (optionally tweaking) the requests previously recorded, by
accessing the HTTP adminsitrative interface.

Or you can choose to go the hardcore way and use interactive mode from the
beginning.

Limitations
-----------

Currently HTTPush doesn't automate any well-known attack against 
applications/servers:

  - ../ requests
  - shell metacharacters in form fields and cookies
  - overflows
  - session id prediction
  - authorization bruteforcing
  - ..

Right now, all the guessing work is human-based, HTTPush is just a nice
interface to the HTTP server, nothing else.

As time provides plugins for known web attacks should be incorporated into
the distribution.

Philip Stoev seems to be working in a similar project, though aimed at 
transparently automating the audit. You can check his homepage at 
http://www.stoev.org.

Distribution site
-----------------

SourceForge kindly hosts the project at:

  http://sourceforge.net/projects/httpush

where you can download the latest version, submit bug reports 
and post patches, as well as subscribing to the httpush-devel 
mailing list.

The latest version is always available from:

  http://sourceforge.net/projects/httpush
	http://www.s21sec.com/download/httpush-current.tar.gz

Previous releases and miscellaneous files are available from:

	http://www.s21sec.com/download/httpush/

as well as the SourceForge project page.

Bugs and and suggestions
------------------------

Please send any bug reports or suggestions to llmora@s21sec.com

Acknowledgements
----------------
Alfredo Andres - official betatester
Ramon Pinuaga - official feature requester
Jeremiah Sahlberg - bug reports
Rick Redman - bug reports
Colin Phipps - bug reports along with their patches
Nicolas Pougetoux - bug reports along with their patches
