Skip to content

Commit

Permalink
Merge pull request #1335 from secinto/redirectPolicyWithHSTS
Browse files Browse the repository at this point in the history
Redirect policy with hsts
  • Loading branch information
Mzack9999 authored Sep 11, 2023
2 parents d702f63 + 4432f63 commit 70baee9
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,7 @@ CONFIGURATIONS:
-fr, -follow-redirects follow http redirects
-maxr, -max-redirects int max number of redirects to follow per host (default 10)
-fhr, -follow-host-redirects follow redirects on the same host
-rhsts, -respect-hsts respect HSTS response headers for redirect requests
-vhost-input get a list of vhosts as input
-x string request methods to probe, use 'all' to probe all HTTP methods
-body string post body to include in http request
Expand Down
19 changes: 19 additions & 0 deletions common/httpx/httpx.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,14 @@ func New(options *Options) (*HTTPX, error) {
retryablehttpOptions.Timeout = httpx.Options.Timeout
retryablehttpOptions.RetryMax = httpx.Options.RetryMax

handleHSTS := func(req *http.Request) {
if req.Response.Header.Get("Strict-Transport-Security") == "" {
return
}

req.URL.Scheme = "https"
}

var redirectFunc = func(_ *http.Request, _ []*http.Request) error {
// Tell the http client to not follow redirect
return http.ErrUseLastResponse
Expand All @@ -76,10 +84,16 @@ func New(options *Options) (*HTTPX, error) {
redirectFunc = func(redirectedRequest *http.Request, previousRequests []*http.Request) error {
// add custom cookies if necessary
httpx.setCustomCookies(redirectedRequest)

if len(previousRequests) >= options.MaxRedirects {
// https://github.com/golang/go/issues/10069
return http.ErrUseLastResponse
}

if options.RespectHSTS {
handleHSTS(redirectedRequest)
}

return nil
}
}
Expand All @@ -104,6 +118,11 @@ func New(options *Options) (*HTTPX, error) {
// https://github.com/golang/go/issues/10069
return http.ErrUseLastResponse
}

if options.RespectHSTS {
handleHSTS(redirectedRequest)
}

return nil
}
}
Expand Down
1 change: 1 addition & 0 deletions common/httpx/option.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ type Options struct {
VHostSimilarityRatio int
FollowRedirects bool
FollowHostRedirects bool
RespectHSTS bool
MaxRedirects int
Unsafe bool
TLSGrab bool
Expand Down
2 changes: 2 additions & 0 deletions runner/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ type Options struct {
Location bool
ContentLength bool
FollowRedirects bool
RespectHSTS bool
StoreResponse bool
JSONOutput bool
CSVOutput bool
Expand Down Expand Up @@ -405,6 +406,7 @@ func ParseOptions() *Options {
flagSet.BoolVarP(&options.FollowRedirects, "follow-redirects", "fr", false, "follow http redirects"),
flagSet.IntVarP(&options.MaxRedirects, "max-redirects", "maxr", 10, "max number of redirects to follow per host"),
flagSet.BoolVarP(&options.FollowHostRedirects, "follow-host-redirects", "fhr", false, "follow redirects on the same host"),
flagSet.BoolVarP(&options.RespectHSTS, "respect-hsts", "rhsts", false, "respect HSTS response headers for redirect requests"),
flagSet.BoolVar(&options.VHostInput, "vhost-input", false, "get a list of vhosts as input"),
flagSet.StringVar(&options.Methods, "x", "", "request methods to probe, use 'all' to probe all HTTP methods"),
flagSet.StringVar(&options.RequestBody, "body", "", "post body to include in http request"),
Expand Down
1 change: 1 addition & 0 deletions runner/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ func New(options *Options) (*Runner, error) {
httpxOptions.RetryMax = options.Retries
httpxOptions.FollowRedirects = options.FollowRedirects
httpxOptions.FollowHostRedirects = options.FollowHostRedirects
httpxOptions.RespectHSTS = options.RespectHSTS
httpxOptions.MaxRedirects = options.MaxRedirects
httpxOptions.HTTPProxy = options.HTTPProxy
httpxOptions.Unsafe = options.Unsafe
Expand Down

0 comments on commit 70baee9

Please sign in to comment.