Support for Unstructured HTTP Headers

[MindPatch]

Greetings team,

I'm currently working on a project intended for security professionals, and I've come across a requirement where we need to send HTTP requests in an unstructured format. This functionality would allow users to construct requests similar to the following example:

GET / HTTP/1.1
  Host: hello.com
Host: attacker.com
HeaderWithoutValue

as host header injection (as described in this informative resource: Host Header Injection). Additionally, it can help detect if the application is running in Debug mode or enable the identification of potential issues related to HTTP request smuggling (as explained here: HTTP Request Smuggling).

For more detailed information and context, please refer to the following GitHub issue: BugBlocker/lotus #136.

[seanmonstar]

It sounds like you want the ability to send headers that are incorrectly formatted on purpose, to probe servers, is that right? Part of hyper's goals is to strictly enforce things that would be illegal.

[MindPatch]

Hello @seanmonstar,
I wanted to discuss the possibility of incorporating a feature in the Hyper project that would cater to the needs of security professionals within the DevOps lifecycle (like this one). Specifically, this feature would allow them to scan the application before deploying it.
But I understand that this may not align with Hyper's primary goals, and I respect that.

Before proceeding with forking the project, I would like to inquire whether it would be acceptable for us, as the Lotus team, to add this feature ourselves in the forked version
Your input on this matter would be greatly appreciated.

Best regards
@knassar702

[seanmonstar]

Well, so, there is some precedent that hyper allows enabling options for things that the specs now say "please don't ever do this, but legacy software may exist". So, in that sense, it could be acceptable. If you wanted to put together a design document outlining how to do this, and pitch it on the hyperium/hyper repo, we could consider it. I'm sympathetic to allowing hyper be more flexible, as long as it's safe by default.

[cn-kali-team]

https://github.com/emo-crab/slinger
A client specifically developed for security researchers

https://github.com/emo-crab/slinger/blob/main/examples/smuggling.rs

[MindPatch]

Good job @cn-kali-team 👏
thank you

[seanmonstar]

Oh, I understand what you're looking for now. I think this PR would do it: hyperium/hyper#3417