README
¶
urlutil
The package contains various helpers to interact with URLs
difference b/w net/url.URL and utils/url/URL
-
url.URLcaters to variety of urls and for that reason its parsing is not that accurate under various conditions -
utils/url/URLis a wrapper aroundurl.URLthat handles below edgecases and is able to parse complex (i.e non-RFC compilant urls but required in infosec) url edgecases. -
url.URLallowsu.Pathwithout/prefix but it is not allowed inutils/url/URLand is autocorrected if/prefix is missing -
Parsing URLs without
scheme
// if below urls are parsed with url.Parse(). url parts(scheme,host,path etc) are not properly classified
scanme.sh
scanme.sh:443/port
scame.sh/with/path
-
Encoding of parameters(url.Values)
url.URLencodes all reserved characters(as per RFC(s)) in parameter key-value pair (i.eurl.Values{})- If reserved/special characters are url encoded then integrity of specially crafted payloads (lfi,xss,sqli) is lost.
utils/url/URLusesutils/url/Paramsto store/handle parameters and integrity of all such payload is preservedutils/url/URLalso provides options to customize url encoding using global variable and function params
-
Parsing Unsafe/Invalid Paths
- while parsing urls
url.Parse()either discards or re-encodes some of the specially crafted payloads - If a non valid url encoding is given in url (ex:
scanme.sh/%invalid)url.Parse()returns error and url is not parsed - Such cases are implicitly handled if
unsafeis true
- while parsing urls
// Example urls for above condition
scanme.sh/?some'param=`'+OR+ORDER+BY+1--
scanme.sh/?some[param]=<script>alert(1)</script>
scanme.sh/%invalid/path
utils/url/URLhas some extra methods.TrimPort().MergePath(newrelpath string, unsafe bool).UpdateRelPath(newrelpath string, unsafe bool).Clone()and more
Note
utils/url/URL embeds url.URL and thus inherits and exposes all url.URL methods and variables.
Its ok to use any method from url.URL (directly/indirectly) except url.URL.Query() and url.URL.String() (due to parameter encoding issues).
In any case if it is not possible to follow above point (ex: directly updating/referencing http.Request.URL) .Update() method should be called before accessing them which updates url.URL instance for this edgecase. (Not required if above rule is followed)
Documentation
¶
Index ¶
- Constants
- Variables
- func AutoMergeRelPaths(path1 string, path2 string) (string, error)
- func ParamEncode(data string) string
- func PercentEncoding(data string) string
- func URLEncodeWithEscapes(data string, charset ...rune) string
- type Params
- func (p Params) Add(key string, value ...string)
- func (p Params) Decode(raw string)
- func (p Params) Del(key string)
- func (p Params) Encode() string
- func (p Params) Get(key string) string
- func (p Params) Has(key string) bool
- func (p Params) Merge(x Params)
- func (p Params) Set(key string, value string)
- type URL
- func (u *URL) Clone() *URL
- func (u *URL) EscapedString() string
- func (u *URL) GetRelativePath() string
- func (u *URL) MergePath(newrelpath string, unsafe bool) error
- func (u *URL) Query() Params
- func (u *URL) String() string
- func (u *URL) TrimPort()
- func (u *URL) Update()
- func (u *URL) UpdatePort(newport string)
- func (u *URL) UpdateRelPath(newrelpath string, unsafe bool) error
Constants ¶
const ( HTTP = "http" HTTPS = "https" SchemeSeparator = "://" DefaultHTTPPort = "80" DefaultHTTPSPort = "443" )
Variables ¶
var AllowLegacySeperator bool = false
Legacy Seperator (i.e `;`) is used as seperator for parameters this was removed in go >=1.17
var DisableAutoCorrect bool
disables autocorrect related to parsing Ex: if input is admin url.Parse considers admin as host which is not a valid domain name
var MustEscapeCharSet []rune = []rune{'?', '#', '@', ';', '&', ',', '[', ']', '^'}
MustEscapeCharSet are special chars that are always escaped and are based on reserved chars from RFC Some of Reserved Chars From RFC were excluded and some were added for various reasons and goal here is to encode parameters key and value only
var RFCEscapeCharSet []rune = []rune{'!', '*', '\'', '(', ')', ';', ':', '@', '&', '=', '+', '$', ',', '/', '?', '%', '#', '[', ']'}
Reserved Chars from RFC ! * ' ( ) ; : @ & = + $ , / ? % # [ ]
Functions ¶
func AutoMergeRelPaths ¶
AutoMergeRelPaths merges two relative paths including parameters and returns final string
func ParamEncode ¶
ParamEncode encodes Key characters only. key characters include whitespaces + non printable chars + non-ascii also this does not double encode encoded characters
func PercentEncoding ¶
PercentEncoding encodes all characters to percent encoded format just like burpsuite decoder
func URLEncodeWithEscapes ¶
URLEncodeWithEscapes URL encodes data with given special characters escaped (similar to burpsuite intruder) Note `MustEscapeCharSet` is not included
Types ¶
type Params ¶
func (Params) Decode ¶
Decode is opposite of Encode() where ("bar=baz&foo=quux") is parsed Parameters are loosely parsed to allow any scenario
type URL ¶
type URL struct {
*url.URL
Original string // original or given url(without params if any)
Unsafe bool // If request is unsafe (skip validation)
IsRelative bool // If URL is relative
Params Params // Query Parameters
}
URL a wrapper around net/url.URL
func ParseRelativePath ¶
ParseRelativePath parses and returns relative path
func (*URL) EscapedString ¶
EscapedString returns a string that can be used as filename (i.e stripped of / and params etc)
func (*URL) GetRelativePath ¶
GetRelativePath ex: /some/path?param=true#fragment
Source Files