INTRO
=====
This software has been developped to test IPS capacity to handle basic URL mutation methods.

It relies on hping for raw packets creation and iptables to prevent unwanted RST to be generated by our station. The command executed will be the following:

iptables -A OUTPUT -p 6 -d $target --dport $DPORT --tcp-flags RST RST -j DROP

Anyway, you probably know it as you would never execute such tool without looking at the source, would you ?

HOWTO
=====

0. Make sure the follwing commands are in your path
   - hping
   - iptables

1. Launch http-mutate.pl

2. Fill-up target IP and URL you want to test

3. Result is printed out (see result analysis)


Mutation Techniques
===================

7 Basic mutation techniques are used :

1. Self reference : / => /./././
2. Directory traversal : / => /docs/../docs/../docs/..
3. Multiple separators : / => ///
4. Windows separator : / => \
5. ASCII encoding : a => %61, b => %62 etc.
6. ASCII encoding except slashes, numbers and %
7. URL started with %00

Result Analysis
===============

Here is a sample session.

>>>>>>>
[root@localhost http-mutate]# ./http-mutate.pl 
enter target host : 10.0.0.101
enter /path/page : /cmd.exe    
Basic mutate techniques : 7
Total mutate techniques : 56
Not Blocked: GET %25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %00\docs\..\docs\..\docs\..\cmd.exe HTTP/1.0
Not Blocked: GET %25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%65%25%32%65%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%65%25%32%65%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%65%25%32%65%25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %25%32%66%25%32%66%25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %00%25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %25%32%66%25%32%66%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%66%25%32%66%25%32%65%25%32%65%25%32%66%25%32%66%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%66%25%32%66%25%32%65%25%32%65%25%32%66%25%32%66%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%66%25%32%66%25%32%65%25%32%65%25%32%66%25%32%66%25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %00///%64%6f%63%73///%2e%2e///%64%6f%63%73///%2e%2e///%64%6f%63%73///%2e%2e///%63%6d%64%2e%65%78%65 HTTP/1.0
Not Blocked: GET %00%5c%64%6f%63%73%5c%2e%2e%5c%64%6f%63%73%5c%2e%2e%5c%64%6f%63%73%5c%2e%2e%5c%63%6d%64%2e%65%78%65 HTTP/1.0
Not Blocked: GET %00%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%65%25%32%65%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%65%25%32%65%25%32%66%25%36%34%25%36%66%25%36%33%25%37%33%25%32%66%25%32%65%25%32%65%25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %00%5c%5c%5c%63%6d%64%2e%65%78%65 HTTP/1.0
Not Blocked: GET %00%25%32%66%25%32%66%25%32%66%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0
Not Blocked: GET %00%25%35%63%25%36%33%25%36%64%25%36%34%25%32%65%25%36%35%25%37%38%25%36%35 HTTP/1.0

---------------------------------------
| 0    |    || 1    |    || 2    |    |
| 23   |    || 234  |    || 2345 |    |
| 2346 |    || 2347 |    || 235  |    |
| 2356 | A  || 2357 |    || 236  |    |
| 2367 | AP || 237  |    || 24   |    |
| 245  |    || 2456 |    || 2457 | AP |
| 246  |    || 2467 |    || 247  | AP |
| 25   |    || 256  | A  || 2567 | A  |
| 257  |    || 26   |    || 267  |    |
| 27   |    || 3    |    || 34   |    |
| 345  |    || 3456 |    || 3457 | AP |
| 346  |    || 3467 |    || 347  |    |
| 35   |    || 356  | A  || 3567 | A  |
| 357  |    || 36   |    || 367  |    |
| 37   |    || 4    |    || 45   |    |
| 456  |    || 4567 | AP || 457  |    |
| 46   |    || 467  |    || 47   |    |
| 5    |    || 56   | A  || 567  | A  |
| 57   |    || 6    |    || 67   |    |
| 7    |    ||      |    |
---------------------------------------
<<<<<<<

First we get the URLs that are not blocked. This is necessary to check if the server really understands it...
Then we have the summary that provides the flags received after for each technique.

0 is the baseline, with no encoding or mutation. In the example below the mutation involving methods 2356 was not blocked as we received a A flag.

WHO
===
Renaud Bidou 
-> renaudb at radware.com
-> renaud.bidou at iv2-technologies.com