http-chained-requests-automator/README.md

# HTTP Chained Requests Automator
This PHP script automates and chains HTTP requests, extracting values from headers or body and use them for the next requests. Very useful for penetration tests.

![image](https://github.com/loviuz/http-chained-requests-automator/blob/main/screenshots/hcra.jpg?raw=true)

It has been ispired by a business-logic challenge of Port Swigger:

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money

## Installation

First download and install **composer** from here:

https://getcomposer.org/download/

Then:

```bash
$ php composer.phar install
```

## Usage

```bash
$ php hcra.php params.json
```

- params.json: is the filename of the JSON file with specifications of the HTTP requests

## Configuration

To configure HTTP request you have to code your custom JSON file. You can start from the example in the repository:

```json
{
    "configuration": 
    {
        "verbose_level": 1
    }
    ,
    "urls": [
        {
            "title": "First open to get the cookie",
            "url": "http://localhost/mysite/",
            "method": "GET",
            "headers": null,
            "body": null,
            "header-regexp": [
                {
                    "cookie": "/Set-Cookie: (.+?)$/"
                }
            ],
            "body-regexp": null
        },
        {
            "title": "Login",
            "url": "http://localhost/mysite/",
            "method": "POST",
            "headers": {
                "Cookie": "§cookie§",
                "Content-Type": "application/x-www-form-urlencoded"
            },
            "body": "username=admin&password=s3cr3t",
            "header-regexp": [
                {
                    "next_url": "/Location: (.+)/"
                }
            ],
            "body-regexp": null,
            "extra_guzzle_options": [
                {
                    "allow_redirects": false
                }
            ]
        },
        {
            "title": "Get the email",
            "url": "http://localhost§next_url§",
            "method": "GET",
            "headers": {
                "Cookie": "§cookie§"
            },
            "body": null,
            "header-regexp": [
                {
                    "content_type": "/Content-Type: (.+)/",
                    "pragma": "/Pragma: (.+)/"
                }
            ],
            "body-regexp": [
                {
                    "email": "/<p>Your email is (.+)!<\\/p>/"
                }
            ],
            "header-expected":
            {
                "content_type": "text/html; charset=UTF-8",
                "pragma": "no-cache"
            },
            "body-expected":
            {
                "email": "dude@dudelang.com"
            }
        },
        {
            "title": "Get the flags",
            "url": "http://localhost§next_url§?email=§email§",
            "method": "GET",
            "headers": {
                "Cookie": "§cookie§"
            },
            "body": null,
            "header-regexp": [
                {
                    "flag1": "/Set-Cookie: flag2=(.+?);/"
                }
            ],
            "body-regexp": [
                {
                    "flag2": "/<p>Congratulations, the flag is: (.+?)<\\/p>/"
                }
            ]
        }
    ]
}
```

Every JSON object is an HTTP request with specific parameters:
- **configuration -> verbose_level**: the verbosity of the output. It accepts values from 1 to 3
- **title**: the title of the to request
- **url**: the URL to request
- **method**: GET|POST (you could also use PUT, DELETE, etc, but not yet tested!)
- **headers**: a JSON array with all headers you want to send with the request
- **body**: the body of the request in case you send a POST request
- **header-regexp**: an array of regular expressions you want to use to extract values from the headers. IMPORTANT: only the first value per regexp will be matched
- **body-regexp**: like header-regexp, but the values will be matched against the response body
- **header-expected**: an array of key/value to look for in the response headers (useful for test purpose)
- **body-expected**: an array of key/value to look for in the body headers (useful for test purpose)
- **extra_guzzle_options**: array of extra Guzzle options. Here you can find a full list of options: https://docs.guzzlephp.org/en/stable/request-options.html

Example:

```php
"next_url": "/Location: (.+?)$/"
```

This will match the redirection after the first request, for example:
```http
Location: /mysite/welcome
```

If match happens, you can use
```php
§next_url§
```

as a variable on the next requests, so the 2nd url will change from:
```json
"url": "http://localhost§next_url§",
```
to:
```json
"url": "http://localhost/mysite/welcome",
```

until you match another **next_url** values with another regular expression with the next requests.

## TODO
 - better error handling
 - add some logics, so for example the script can restart from a specific request after getting some specific results from the variables