http-chained-requests-autom.../README.md

# HTTP Chained Requests Automator
This PHP script automates and chains HTTP requests, extracting values from headers or body and use them for the next requests. Very useful for penetration tests.

![image](https://github.com/loviuz/http-chained-requests-automator/blob/main/screenshots/hcra.jpg?raw=true)

It has been ispired by a business-logic challenge of Port Swigger:

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money

## Installation

First download and install **composer** from here:

https://getcomposer.org/download/

Then:

```bash
$ php composer.phar install
```

## Usage

```bash
$ php hcra.php params.json
```

- params.json: is the filename of the JSON file with specifications of the HTTP requests

## Configuration

To configure HTTP request you have to code your custom JSON file. You can start from the example in the repository:

```json
{
    "configuration": 
    {
        "verbose_level": 1
    }
    ,
    "urls": [
        {
            "title": "First open to get the cookie",
            "url": "http://localhost/mysite/",
            "method": "GET",
            "headers": null,
            "body": null,
            "header-regexp": [
                {
                    "cookie": "/Set-Cookie: (.+?)$/"
                }
            ],
            "body-regexp": null
        },
        {
            "title": "Login",
            "url": "http://localhost/mysite/",
            "method": "POST",
            "headers": {
                "Cookie": "§cookie§",
                "Content-Type": "application/x-www-form-urlencoded"
            },
            "body": "username=admin&password=s3cr3t",
            "header-regexp": [
                {
                    "next_url": "/Location: (.+)/"
                }
            ],
            "body-regexp": null,
            "extra_guzzle_options": [
                {
                    "allow_redirects": false
                }
            ]
        },
        {
            "title": "Get the email",
            "url": "http://localhost§next_url§",
            "method": "GET",
            "headers": {
                "Cookie": "§cookie§"
            },
            "body": null,
            "header-regexp": [
                {
                    "content_type": "/Content-Type: (.+)/",
                    "pragma": "/Pragma: (.+)/"
                }
            ],
            "body-regexp": [
                {
                    "email": "/<p>Your email is (.+)!<\\/p>/"
                }
            ],
            "header-expected":
            {
                "content_type": "text/html; charset=UTF-8",
                "pragma": "no-cache"
            },
            "body-expected":
            {
                "email": "dude@dudelang.com"
            }
        },
        {
            "title": "Get the flags",
            "url": "http://localhost§next_url§?email=§email§",
            "method": "GET",
            "headers": {
                "Cookie": "§cookie§"
            },
            "body": null,
            "header-regexp": [
                {
                    "flag1": "/Set-Cookie: flag2=(.+?);/"
                }
            ],
            "body-regexp": [
                {
                    "flag2": "/<p>Congratulations, the flag is: (.+?)<\\/p>/"
                }
            ]
        }
    ]
}
```

Every JSON object is an HTTP request with specific parameters:
- **configuration -> verbose_level**: the verbosity of the output. It accepts values from 1 to 3
- **title**: the title of the to request
- **url**: the URL to request
- **method**: GET|POST (you could also use PUT, DELETE, etc, but not yet tested!)
- **headers**: a JSON array with all headers you want to send with the request
- **body**: the body of the request in case you send a POST request
- **header-regexp**: an array of regular expressions you want to use to extract values from the headers. IMPORTANT: only the first value per regexp will be matched
- **body-regexp**: like header-regexp, but the values will be matched against the response body
- **header-expected**: an array of key/value to look for in the response headers (useful for test purpose)
- **body-expected**: an array of key/value to look for in the body headers (useful for test purpose)
- **extra_guzzle_options**: array of extra Guzzle options. Here you can find a full list of options: https://docs.guzzlephp.org/en/stable/request-options.html

Example:

```php
"next_url": "/Location: (.+?)$/"
```

This will match the redirection after the first request, for example:
```http
Location: /mysite/welcome
```

If match happens, you can use
```php
§next_url§
```

as a variable on the next requests, so the 2nd url will change from:
```json
"url": "http://localhost§next_url§",
```
to:
```json
"url": "http://localhost/mysite/welcome",
```

until you match another **next_url** values with another regular expression with the next requests.

## TODO
 - better error handling
 - add some logics, so for example the script can restart from a specific request after getting some specific results from the variables
Adding README 2021-01-23 12:45:42 +01:00			`# HTTP Chained Requests Automator`
			`This PHP script automates and chains HTTP requests, extracting values from headers or body and use them for the next requests. Very useful for penetration tests.`

Added screenshot to README 2021-01-23 15:35:19 +01:00			`![image](https://github.com/loviuz/http-chained-requests-automator/blob/main/screenshots/hcra.jpg?raw=true)`

Adding README 2021-01-23 12:45:42 +01:00			`It has been ispired by a business-logic challenge of Port Swigger:`

			`https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money`

Fixing README and script name 2021-01-23 12:50:44 +01:00			`## Installation`

			`First download and install composer from here:`

			`https://getcomposer.org/download/`

			`Then:`

			```bash
			`$ php composer.phar install`
			```

Adding README 2021-01-23 12:45:42 +01:00			`## Usage`

			```bash
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`$ php hcra.php params.json`
Adding README 2021-01-23 12:45:42 +01:00			```

			`- params.json: is the filename of the JSON file with specifications of the HTTP requests`

			`## Configuration`

			`To configure HTTP request you have to code your custom JSON file. You can start from the example in the repository:`

			```json
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`{`
			`"configuration":`
Adding README 2021-01-23 12:45:42 +01:00			`{`
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`"verbose_level": 1`
			`}`
			`,`
			`"urls": [`
			`{`
			`"title": "First open to get the cookie",`
			`"url": "http://localhost/mysite/",`
			`"method": "GET",`
			`"headers": null,`
			`"body": null,`
			`"header-regexp": [`
			`{`
			`"cookie": "/Set-Cookie: (.+?)$/"`
			`}`
			`],`
			`"body-regexp": null`
Adding README 2021-01-23 12:45:42 +01:00			`},`
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`{`
			`"title": "Login",`
			`"url": "http://localhost/mysite/",`
			`"method": "POST",`
			`"headers": {`
			`"Cookie": "§cookie§",`
			`"Content-Type": "application/x-www-form-urlencoded"`
			`},`
			`"body": "username=admin&password=s3cr3t",`
			`"header-regexp": [`
			`{`
			`"next_url": "/Location: (.+)/"`
			`}`
			`],`
			`"body-regexp": null,`
			`"extra_guzzle_options": [`
			`{`
			`"allow_redirects": false`
			`}`
			`]`
Adding README 2021-01-23 12:45:42 +01:00			`},`
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`{`
			`"title": "Get the email",`
			`"url": "http://localhost§next_url§",`
			`"method": "GET",`
			`"headers": {`
			`"Cookie": "§cookie§"`
			`},`
			`"body": null,`
			`"header-regexp": [`
			`{`
			`"content_type": "/Content-Type: (.+)/",`
			`"pragma": "/Pragma: (.+)/"`
			`}`
			`],`
			`"body-regexp": [`
			`{`
			`"email": "/<p>Your email is (.+)!<\\/p>/"`
			`}`
			`],`
			`"header-expected":`
Added Guzzle extra options to README 2021-01-23 15:29:09 +01:00			`{`
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`"content_type": "text/html; charset=UTF-8",`
			`"pragma": "no-cache"`
			`},`
			`"body-expected":`
Added Guzzle extra options to README 2021-01-23 15:29:09 +01:00			`{`
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`"email": "dude@dudelang.com"`
Added Guzzle extra options to README 2021-01-23 15:29:09 +01:00			`}`
Updated Readme and usage 2021-02-05 00:50:45 +01:00			`},`
			`{`
			`"title": "Get the flags",`
			`"url": "http://localhost§next_url§?email=§email§",`
			`"method": "GET",`
			`"headers": {`
			`"Cookie": "§cookie§"`
			`},`
			`"body": null,`
			`"header-regexp": [`
			`{`
			`"flag1": "/Set-Cookie: flag2=(.+?);/"`
			`}`
			`],`
			`"body-regexp": [`
			`{`
			`"flag2": "/<p>Congratulations, the flag is: (.+?)<\\/p>/"`
			`}`
			`]`
			`}`
			`]`
			`}`
Adding README 2021-01-23 12:45:42 +01:00			```

			`Every JSON object is an HTTP request with specific parameters:`
Updated Readme 2021-02-05 00:45:44 +01:00			`- configuration -> verbose_level: the verbosity of the output. It accepts values from 1 to 3`
			`- title: the title of the to request`
Adding README 2021-01-23 12:45:42 +01:00			`- url: the URL to request`
			`- method: GET\|POST (you could also use PUT, DELETE, etc, but not yet tested!)`
			`- headers: a JSON array with all headers you want to send with the request`
			`- body: the body of the request in case you send a POST request`
			`- header-regexp: an array of regular expressions you want to use to extract values from the headers. IMPORTANT: only the first value per regexp will be matched`
			`- body-regexp: like header-regexp, but the values will be matched against the response body`
Updated Readme 2021-02-05 00:45:44 +01:00			`- header-expected: an array of key/value to look for in the response headers (useful for test purpose)`
			`- body-expected: an array of key/value to look for in the body headers (useful for test purpose)`
Added Guzzle extra options to README 2021-01-23 15:29:09 +01:00			`- extra_guzzle_options: array of extra Guzzle options. Here you can find a full list of options: https://docs.guzzlephp.org/en/stable/request-options.html`
Adding README 2021-01-23 12:45:42 +01:00
			`Example:`

			```php
			`"next_url": "/Location: (.+?)$/"`
			```

			`This will match the redirection after the first request, for example:`
			```http
			`Location: /mysite/welcome`
			```

			`If match happens, you can use`
			```php
			`§next_url§`
			```

			`as a variable on the next requests, so the 2nd url will change from:`
			```json
			`"url": "http://localhost§next_url§",`
			```
			`to:`
			```json
			`"url": "http://localhost/mysite/welcome",`
			```

			`until you match another next_url values with another regular expression with the next requests.`

			`## TODO`
Added screenshot to README 2021-01-23 15:35:19 +01:00			`- better error handling`
			`- add some logics, so for example the script can restart from a specific request after getting some specific results from the variables`