Hi malware fighters,
Here we test for Http-splitting
advanced%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a0d%0a<html>Sorry,%20System%20Down</html>
and Firekeeper alerts this: === Triggered rule ===
alert(url_content:"%3Chtml"; nocase; msg:"<html> tags GET request cross site scripting attempt"; url_re:"/%3Chtml*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://ajax.googleapis.com/ajax/services/search/web?v=1.0&key=ABQIAAAADQJp_C6OaW6hvHOMrOnyTRSJ36dQUZSEtUNltVpyNDSTnR8ihRSMP6upCTiKY-Eecqqq5JsdgenlYg&q=advanced%250d%250aContent-Length%3A%25200%250d%250a%250d%250aHTTP%2F1.1%2520200%2520OK%250d%250aContent-+Type%3A%2520text%2Fhtml%250d%250aContent-Length%3A%252035%250d%250a%250d%250a%3Chtml%3ESorry%2C%2520System%2520Down%3C%2Fhtml%3ERe:
http://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OWASP-DV-016)
HTTP exploits involve using the Web server application to perform malicious activities. These attacks are very common and are growing in popularity because firewalls typically block most traffic from the Internet to keep it away from corporate servers. However, HTTP traffic, used for Web browsing, is almost always allowed to pass through firewalls, on Port 80, unhindered. Thus, attackers have a direct line to the Web server. If they can coerce the Web server into performing malicious activities, they can access resources that would otherwise be unavailable, Metasploit tries HTTP for various exploits:
HTTP Backup File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Blind SQL Injection GET QUERY Scanner
This module identifies the existence of Blind SQL injection issues in GET Query parameters values.
HTTP Directory Brute Force Scanner
This module identifies the existence of interesting directories by brute forcing the name in a given directory path.
HTTP SSL Certificate Checker
This module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern and that the certificate is not expired. Note: Be sure to check your expression if using msfcli, shells tend to not like certain things and will strip/interpret them (= is a perfect example). It is better to use in console.
HTTP Copy File Scanner
This module identifies the existence of possible copies of a specific file in a given path.
HTTP Directory Listing Scanner
This module identifies directory listing vulnerabilities in a given directory path.
HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path,
Online fuzzer tool:
http://digitaloffense.net/tools/axman/demo/polonus