HTTP Request & Response Service, written in Python + Flask.

Overview
Comments
  • Regression with chunked transfer encoding?

    Regression with chunked transfer encoding?

    I'm using https://httpbin.org and it looks like chunked transfer encoding does not work any more as expected:

    $ curl -X POST https://httpbin.org/post \
     -d '{"message":"BLA"}' \
     -H 'Content-Type: application/json' \
     -H 'Transfer-Encoding: chunked'
    {
      "args": {}, 
      "data": "", 
      "files": {}, 
      "form": {}, 
      "headers": {
        "Accept": "*/*", 
        "Connect-Time": "1", 
        "Connection": "close", 
        "Content-Type": "application/json", 
        "Host": "httpbin.org", 
        "Total-Route-Time": "0", 
        "Transfer-Encoding": "chunked", 
        "User-Agent": "curl/7.50.1", 
        "Via": "1.1 vegur", 
        "X-Request-Id": "2a06bd5b-06dc-4ced-ac89-fe83cbb6771c"
      }, 
      "json": null, 
      "origin": "<removed>", 
      "url": "https://httpbin.org/post"
    }
    

    Observe that data and json do not contain the posted data. The same request works as expected without chunked transfer encoding:

    $ curl -X POST https://httpbin.org/post \
     -d '{"message":"BLA"}' \
     -H 'Content-Type: application/json'
    {
      "args": {}, 
      "data": "{\"message\":\"BLA\"}", 
      "files": {}, 
      "form": {}, 
      "headers": {
        "Accept": "*/*", 
        "Connect-Time": "0", 
        "Connection": "close", 
        "Content-Length": "17", 
        "Content-Type": "application/json", 
        "Host": "httpbin.org", 
        "Total-Route-Time": "0", 
        "User-Agent": "curl/7.50.1", 
        "Via": "1.1 vegur", 
        "X-Request-Id": "dfbaa440-9871-4a3c-b482-35a68459722a"
      }, 
      "json": {
        "message": "BLA"
      }, 
      "origin": "<removed>", 
      "url": "https://httpbin.org/post"
    }
    

    Am I missing something?

    opened by pb- 58
  • /redirect-to returns 404

    /redirect-to returns 404

    All the /redirect-to endpoints are returning 404s.

    $ curl -v -X GET "http://httpbin.org/redirect-to?url=http://httpbin.org/get"
    *   Trying 34.235.192.52...
    * TCP_NODELAY set
    * Connected to httpbin.org (34.235.192.52) port 80 (#0)
    > GET /redirect-to?url=http://httpbin.org/get HTTP/1.1
    > Host: httpbin.org
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    < HTTP/1.1 404 Not Found
    < Server: awselb/2.0
    < Date: Sat, 20 Jun 2020 06:48:23 GMT
    < Content-Type: text/plain; charset=utf-8
    < Content-Length: 0
    < Connection: keep-alive
    <
    * Connection #0 to host httpbin.org left intact
    * Closing connection 0
    
    bug 
    opened by codenirvana 21
  • 0.6.2: self test failure: `static/` missing

    0.6.2: self test failure: `static/` missing

    When running the self tests for the pypi distfile of 0.6.2 on NetBSD 8.99.7/amd64 with python-3.6.3, I see the following test failure:

    httpbin (unittest.loader._FailedTest) ... ERROR
    
    ======================================================================
    ERROR: httpbin (unittest.loader._FailedTest)
    ----------------------------------------------------------------------
    ImportError: Failed to import test module: httpbin
    Traceback (most recent call last):
      File "/usr/pkg/lib/python3.6/unittest/loader.py", line 462, in _find_test_path
        package = self._get_module_from_name(name)
      File "/usr/pkg/lib/python3.6/unittest/loader.py", line 369, in _get_module_from_name
        __import__(name)
      File "/scratch/www/py-httpbin/work/httpbin-0.6.2/httpbin/__init__.py", line 3, in <module>
        from .core import *
      File "/scratch/www/py-httpbin/work/httpbin-0.6.2/httpbin/core.py", line 61, in <module>
        common = Common(app)
      File "/usr/pkg/lib/python3.6/site-packages/flask_common.py", line 95, in __init__
        self.init_app(app)
      File "/usr/pkg/lib/python3.6/site-packages/flask_common.py", line 112, in init_app
        app.wsgi_app = WhiteNoise(app.wsgi_app, root=url_for('static', filename='')[1:])
      File "/usr/pkg/lib/python3.6/site-packages/whitenoise/base.py", line 61, in __init__
        self.add_files(root, prefix)
      File "/usr/pkg/lib/python3.6/site-packages/whitenoise/base.py", line 96, in add_files
        self.update_files_dictionary(root, prefix)
      File "/usr/pkg/lib/python3.6/site-packages/whitenoise/base.py", line 101, in update_files_dictionary
        stat_cache = dict(scantree(root))
      File "/usr/pkg/lib/python3.6/site-packages/whitenoise/scantree.py", line 21, in scantree
        for entry in scandir(root):
    FileNotFoundError: [Errno 2] No such file or directory: 'static/'
    
    
    opened by 0-wiz-0 20
  • [RFC] Dockerize

    [RFC] Dockerize

    For ease of deployment it might be helpful to have a Docker container that runs httpbin. This is a simple first step down that road.

    Before merging, it might be worth trying to optimise this image somewhat. For example, it might be better to use Debian as the base rather than Ubuntu. It might also be worth trying to remove the artifacts of the build step, make the number of gunicorn workers parameterizable, or something else interesting. I'm happy to make those changes and test them.

    opened by Lukasa 20
  • Expose WWW-Authenticate header for CORS & Add hidden-digest-auth service

    Expose WWW-Authenticate header for CORS & Add hidden-digest-auth service

    Added the header Access-Control-Expose-Headers=WWW-Authenticate to the unauthorized response of digest authentication to enable ajax applications to have access to this header and perform the digest auth. Fixes #205.

    Also created the 'hidden-digest-auth' service which returns 404 status coded instead of 401, preventing the browser to prompt the user for the credentials in ajax applications. Closes #209.

    opened by reinert 17
  • Update PyPI page

    Update PyPI page

    https://pypi.python.org/pypi/httpbin has old contact info.

    setup.py looks to already be updated. So a python setup.py register is probably all that is needed.

    Bonus points to convert the description to RST so it can be displayed nicely.

    opened by msabramo 16
  • Digest authentication requires Cookie header for auth to succeed

    Digest authentication requires Cookie header for auth to succeed

    Everything works as expected from a web browser. As it should.

    But I can't get my Java client code to work. I'm 99% sure I'm generating the correct MD5s, but could somebody please walk me through the steps? Must be something I don't understand there. Here's what I'm doing now

    1. create a HttpURLConnection to http://httpbin.org/digest-auth/auth/user/passwd
    2. connect, try to read the response back
    3. get an Exception (as expected, the 401 response)
    4. disconnect
    5. get the ""WWW-Authenticate" header that was returned, with nonce, etc...
    6. create a new HttpURLConnection to http://httpbin.org/digest-auth/auth/user/passwd
    7. Create the response, put it into "Authorizaton" header
    8. connect(), try to read the response
    9. This always fails with another 401.

    p.s. If it helps I'd be happy to try this at some planned time, to a planned user/password, and let one of you view the log files on the httpbin side to try to see what is happening.

    bug 
    opened by MorganConrad 16
  • HTTP 500 errors for digest auth

    HTTP 500 errors for digest auth

    As of earlier today my http client unit tests started failing because the digest-auth endpoint returns HTTP 500 instead of 200 for correct credentials. Example:

    curl https://eu.httpbin.org/digest-auth/auth/jerry/secret -v -u jerry:secret
    

    Has there been a new deployment? It was working OK for the past months, maybe even years.

    opened by jeroen 15
  • /redirect-to POST, added support for url/status_code in form-data

    /redirect-to POST, added support for url/status_code in form-data

    Here's a further fix for /redirect-to POST support as discussed in #476. The previous change allowed POST to send url and status_code in form-data, but broke query-string support for same (a-la GET)

    url (required) and status_code can now still appear in the query-string for GET or POST, but for POST/PATCH/PUT if they appear in the body form-data then the values from there are used in-favour of any in the query-string. This allows testing "traditional" POST with a form payload.

    /cc #476 @eturk1

    opened by javabrett 12
  • Make httpbin OS independent again

    Make httpbin OS independent again

    See https://github.com/kennethreitz/flask-common/issues/4 . Currently it is not possible to install httpbin on Windows machines. If fails with the following error:

    $ pip install httpbin
    Collecting httpbin
      Downloading httpbin-0.6.2-py2.py3-none-any.whl (87kB)
        100% |████████████████████████████████| 92kB 163kB/s
    Collecting brotlipy (from httpbin)
      Using cached brotlipy-0.7.0-cp36-cp36m-win_amd64.whl
    Requirement already satisfied: decorator in c:\users\a\appdata\local\programs\python\python36\lib\site-packages (from httpbin)
    Collecting flask-limiter (from httpbin)
      Using cached Flask-Limiter-0.9.5.1.tar.gz
    Collecting Flask-Common (from httpbin)
      Using cached Flask-Common-0.2.0.tar.gz
    Requirement already satisfied: itsdangerous in c:\users\a\appdata\local\programs\python\python36\lib\site-packages (from httpbin)
    Requirement already satisfied: Flask in c:\users\a\appdata\local\programs\python\python36\lib\site-packages (from httpbin)
    Requirement already satisfied: six in c:\users\a\appdata\local\programs\python\python36\lib\site-packages (from httpbin)
    Collecting raven[flask] (from httpbin)
      Downloading raven-6.2.1-py2.py3-none-any.whl (285kB)
        100% |████████████████████████████████| 286kB 427kB/s
    Requirement already satisfied: MarkupSafe in c:\users\a\appdata\local\programs\python\python36\lib\site-packages (from httpbin)
    Collecting cffi>=1.0.0 (from brotlipy->httpbin)
      Downloading cffi-1.11.2-cp36-cp36m-win_amd64.whl (166kB)
        100% |████████████████████████████████| 174kB 846kB/s
    Collecting limits (from flask-limiter->httpbin)
      Using cached limits-1.2.1.tar.gz
    Collecting Gunicorn (from Flask-Common->httpbin)
      Using cached gunicorn-19.7.1-py2.py3-none-any.whl
    Collecting WhiteNoise (from Flask-Common->httpbin)
      Downloading whitenoise-3.3.1-py2.py3-none-any.whl
    Collecting crayons (from Flask-Common->httpbin)
      Using cached crayons-0.1.2.tar.gz
    Collecting maya (from Flask-Common->httpbin)
      Downloading maya-0.3.3-py2.py3-none-any.whl
    Collecting flask_cache (from Flask-Common->httpbin)
      Using cached Flask-Cache-0.13.1.tar.gz
    Collecting meinheld (from Flask-Common->httpbin)
      Using cached meinheld-0.6.1.tar.gz
        Complete output from command python setup.py egg_info:
        Are you really running a posix compliant OS ?
        Be posix compliant is mandatory
    
        ----------------------------------------
    Command "python setup.py egg_info" failed with error code 1 in C:\Users\a\AppData\Local\Temp\pip-build-prc752k3\meinheld\
    

    httpbin 0.5.0 didn't have this issue. Thanks!

    opened by 5j9 12
  • Add range request functionality

    Add range request functionality

    A basic implementation of range requests: http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7233.html

    Allows querying http://httpbin.org/range-request/1024?duration=s&chunk_size=code, specifying Range headers that allow selecting specific portions of the resource to GET.

    opened by dshirley 12
  • Docker build fails with python dependency error

    Docker build fails with python dependency error

    Hi Team,

    I cloned the httpbin repo with tag v0.6.1 and tried to build docker image using command docker build , but it seems to fails while installing the python dependency got this error: Downloading limits-1.6.tar.gz (37 kB)

    Collecting WhiteNoise
      Downloading whitenoise-5.2.0-py2.py3-none-any.whl (19 kB)
    ERROR: Package 'WhiteNoise' requires a different Python: 2.7.18 not in '>=3.5, <4'
    WARNING: You are using pip version 20.0.2; however, version 20.3.4 is available.
    You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
    

    Seems it not taking proper version mentioned in pipfile.lock, can you please help on this

    opened by AnkitBhalla22 0
  • docker build fails

    docker build fails

    (Technically it doesn't fail, but deps aren't installed because pipenv throws an exception in the process substitution in the Dockerfile. It appear process substitution needs special treatment to catch errors, and that's why the error is eaten.)

    I'm opening this more of as a courtesy, I don't think this is actively maintained anymore. :shrug:

    opened by winny- 0
  • Pin pipenv version

    Pin pipenv version

    Pipenv dropped support for Python 3.6

    • https://github.com/pypa/pipenv/issues/5065
    • https://github.com/pypa/pipenv/releases/tag/v2022.4.21

    Description of bug: Running docker compose build && docker compose up would fail with the message ERROR: for httpbin Cannot start service httpbin: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "gunicorn": executable file not found in $PATH: unknown since pipenv was failing to set up any libraries.

    opened by elliott-king 0
  • fix Werkzeug 2.1.x compatibility

    fix Werkzeug 2.1.x compatibility

    • fix httpbin/core.py: use Responce class instead of BaseResponse see: https://github.com/pallets/werkzeug/pull/2276

    • fix tests: TestClient doesn't provide 'Content-Length' header by default anymore see: https://github.com/pallets/werkzeug/issues/2347

    opened by dshein-alt 0
  • multipart/form-data requests of multiple files on the same parameter are not returned

    multipart/form-data requests of multiple files on the same parameter are not returned

    With the following code that sends multiple files to https://httpbin.org/anything only one of them is returned in the payload.

    const form = new FormData();
    
    const files = [
      new File(
        [
          'data:image/png;name=owlbert.png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAMCAYAAABbayygAAABV0lEQVR4AWNwL/Bh0FGQ9FWUENUGsZExPz8/h5gArzmIDRZw1VfpSfeyagIJgiRBYkCg7mOl72akIt0KVwhSVB5o9SPESutJWajzquJgx/lRDganc7zNX3obq9SiKKxN8P/fmB33vybc7j+MHe1k8t9RSy4NrrA4K2Xp1k0b/peUlPzPjfL5v3bpgv9NTc3/48JD/sOsBju4JDnq6MS+3v9uLlb/pzeY/l82r+9/cIA/GNtrK2wFqQH7uDzY/gXQOrBpbemi/xO9DH4B2WCrQe4GqWHQVRDfBnLXpDTX/z3xTii4xM/if4iF5n+QGgZjZamvIIH5RT5wPKvQC0wDDQAr1FMQ/8YgK8zfAzIeqgCOp+V5gBW6Giq9A6kB+9pUXTiqINjwJ9B6uKKmBHuwW7XkhFeAYg2sMMWXQTvJh/2Uu6nciTgXvVsg7Gsp+xAkZqHPIA1SAwCKnrxJusHahgAAAABJRU5ErkJggg==',
        ],
        'owlbert.png',
        { type: 'image/png' }
      ),
      new File(
        [
          'data:image/png;name=owlbert-shrub.png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAACNUlEQVR4AWJkIA2wCQHqJgcouZ0ADv+SmayR28PibPOP2jafzdp6Lh/v2bVt2+1zbdvtbtbMpGfmvmD8jStc9uB3v75gdNmqtJqsa6qCDEBPRVH7XpKk1P9yHLZv3mG6keV9BIsWGqNuvNaiy+YoARFIXFXwf6Frjz/X9oS4LNRkty4QH/0MSnnWDHORHV3pJsiozRk0zWW/9MEi0A9ffqOhf5RRDW6SGLT/ZXcT8C1hWvao8iF1c4ecKx5eejW1bii1y1asW14P5XsUNkogmvVQg2aPLOnrqss9qE81OYlAucRrN/LrqlBSWYufv34jq7gKseA7MCr0IOhffForGsTWDBJnqE2/B0H+hKRRG3DtxEGk6QBZQ9UFClMSnTJe/cCVI5uQJJpx+8AyOBUPPv+JIpJjgJqCZzKT0AGdAgT/1OLtSzsKI2/gspnxvGExZYFADcoSsqM10SADF4jC4TCCUDN8nih+eoIgPAdGeajBNxyMH20JwsPNMwSicUjBCAwmAZ6GkCmA7I+qCxTGRHSkVzZiCRmKAsRkuVmWiENrt6gL5Di7iw4oogFSINIkCTU09hNAP64CREPUBbzAx9ABrc2I3w2NeY5DMByHu8AGY3YyeoKIuSmBWCD6OuqLPJXe/Dpvkb3FuoDbdENKuBVJ4nxZJpKgWoUXCMcYUwBwDfR8FxZPN4wfWK2Zunq7tGLmZMOc7x7ZUn/RuDmrX0H/4FffQ2teylCecuWmDNsTnainfwFPuNZTR3MemwAAAABJRU5ErkJggg==',
        ],
        'owlbert-shrub.png',
        { type: 'image/png' }
      )
    ];
    
    for (const file of files) {
      form.append('files', file, file.name);
    }
    
    fetch('https://httpbin.org/anything', {
      method: 'post',
      body: form,
    })
      .then(res => res.json())
      .then(console.log);
    
    {
      "args": {},
      "data": "",
      "files": {
        "files": "data:image/png;name=owlbert.png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAMCAYAAABbayygAAABV0lEQVR4AWNwL/Bh0FGQ9FWUENUGsZExPz8/h5gArzmIDRZw1VfpSfeyagIJgiRBYkCg7mOl72akIt0KVwhSVB5o9SPESutJWajzquJgx/lRDganc7zNX3obq9SiKKxN8P/fmB33vybc7j+MHe1k8t9RSy4NrrA4K2Xp1k0b/peUlPzPjfL5v3bpgv9NTc3/48JD/sOsBju4JDnq6MS+3v9uLlb/pzeY/l82r+9/cIA/GNtrK2wFqQH7uDzY/gXQOrBpbemi/xO9DH4B2WCrQe4GqWHQVRDfBnLXpDTX/z3xTii4xM/if4iF5n+QGgZjZamvIIH5RT5wPKvQC0wDDQAr1FMQ/8YgK8zfAzIeqgCOp+V5gBW6Giq9A6kB+9pUXTiqINjwJ9B6uKKmBHuwW7XkhFeAYg2sMMWXQTvJh/2Uu6nciTgXvVsg7Gsp+xAkZqHPIA1SAwCKnrxJusHahgAAAABJRU5ErkJggg=="
      },
      "form": {},
      "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate, br",
        "Accept-Language": "en-US,en;q=0.9",
        "Content-Length": "1784",
        "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarywCjQuPHebN5OoDBI",
        "Host": "httpbin.org",
        "Origin": "http://httpbin.org",
        "Referer": "http://httpbin.org/",
        "Sec-Ch-Ua": "\".Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"103\", \"Chromium\";v=\"103\"",
        "Sec-Ch-Ua-Mobile": "?0",
        "Sec-Ch-Ua-Platform": "\"macOS\"",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "cross-site",
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
        "X-Amzn-Trace-Id": "REDACTED"
      },
      "json": null,
      "method": "POST",
      "origin": "REDACTED",
      "url": "https://httpbin.org/anything"
    }
    

    However, both files are actually being delivered but only owlbert.png was returned:

    Screen Shot 2022-07-26 at 10 28 40 AM

    In order to rule out that this was an HTTPBin issue I spun up a small Express server to test this out with multer and the multiple files are returned:

    const express = require('express')
    const multer = require('multer')
    const upload = multer({ dest: 'uploads/' })
    
    const app = express()
    
    app.post('/', upload.array('files', 12), function (req, res, next) {
      console.log(req.files)
    })
    
    const port = 3000;
    
    app.listen(port);
    console.log(`Express app started on port ${port}`);
    

    And the logged out data from sending the same POST request to http://localhost:3000/:

    [
      {
        fieldname: 'files',
        originalname: 'owlbert.png',
        encoding: '7bit',
        mimetype: 'image/png',
        destination: 'uploads/',
        filename: '4c9a0a2c4360b21d9da215270d4ce7a5',
        path: 'uploads/4c9a0a2c4360b21d9da215270d4ce7a5',
        size: 575
      },
      {
        fieldname: 'files',
        originalname: 'owlbert-shrub.png',
        encoding: '7bit',
        mimetype: 'image/png',
        destination: 'uploads/',
        filename: '5456576fa1b1f17b517b15085d618327',
        path: 'uploads/5456576fa1b1f17b517b15085d618327',
        size: 877
      }
    ]
    

    I also thought that maybe it was because I was sending the payload as files instead of files[], but making a request with that returned similar results:

    {
      "args": {},
      "data": "",
      "files": {
        "files[]": "data:image/png;name=owlbert.png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAMCAYAAABbayygAAABV0lEQVR4AWNwL/Bh0FGQ9FWUENUGsZExPz8/h5gArzmIDRZw1VfpSfeyagIJgiRBYkCg7mOl72akIt0KVwhSVB5o9SPESutJWajzquJgx/lRDganc7zNX3obq9SiKKxN8P/fmB33vybc7j+MHe1k8t9RSy4NrrA4K2Xp1k0b/peUlPzPjfL5v3bpgv9NTc3/48JD/sOsBju4JDnq6MS+3v9uLlb/pzeY/l82r+9/cIA/GNtrK2wFqQH7uDzY/gXQOrBpbemi/xO9DH4B2WCrQe4GqWHQVRDfBnLXpDTX/z3xTii4xM/if4iF5n+QGgZjZamvIIH5RT5wPKvQC0wDDQAr1FMQ/8YgK8zfAzIeqgCOp+V5gBW6Giq9A6kB+9pUXTiqINjwJ9B6uKKmBHuwW7XkhFeAYg2sMMWXQTvJh/2Uu6nciTgXvVsg7Gsp+xAkZqHPIA1SAwCKnrxJusHahgAAAABJRU5ErkJggg=="
      },
      "form": {},
      "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip, deflate, br",
        "Accept-Language": "en-US,en;q=0.9",
        "Content-Length": "1788",
        "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryB0dcYW2WEwUoiUgo",
        "Host": "httpbin.org",
        "Origin": "http://httpbin.org",
        "Referer": "http://httpbin.org/",
        "Sec-Ch-Ua": "\".Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"103\", \"Chromium\";v=\"103\"",
        "Sec-Ch-Ua-Mobile": "?0",
        "Sec-Ch-Ua-Platform": "\"macOS\"",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "cross-site",
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
        "X-Amzn-Trace-Id": "REDACTED"
      },
      "json": null,
      "method": "POST",
      "origin": "REDACTED",
      "url": "https://httpbin.org/anything"
    }
    
    opened by erunion 1
  • DOM XSS due to old SwaggerUI version

    DOM XSS due to old SwaggerUI version

    Hello,

    httpbin uses an old version of Swagger-UI under the hood which is vulnerable to DOM XSS by adding a malicious yaml file as value to the query parameter url

    Steps To Reproduce:

    1. Host a malicious .yaml file with the payload inside:
    swagger: '2.0'
    info:
      title: Example yaml.spec
      description: |
        <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
    paths:
      /accounts:
        get:
          responses:
            '200':
              description: No response was specified
          tags:
            - accounts
          operationId: findAccounts
          summary: Finds all accounts
    
    1. Visit the link https://httpbin.org?url=https://jumpy-floor.surge.sh/test.yaml. Here I use the publically availiable PoC posted on the reference article and the public instance of httpbin for ease. You can test it on another instance you spin up and use a payload you host if you preffer.
    2. Observe the pop-up window.

    Supporting Material/References:

    This is a bug in older SwaggerUI version that use an older version of DOMPurify to sanitize html. You can read more about it here: https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers

    Impact

    Run javascript on the victim's broswer

    Mitigation

    Upgrade Swagger-UI version to the latest which mitigates this.

    A few notes

    I sent you an email regarding this and got no reply so I am opening an issue here. Since there is anorher XSS reported 2 years ago or so and you haven't responded to that, I assume you don't care about XSS in general

    However, I decided to report this for 2 reasons

    1. It was already fixed by Swagger-UI and using the latest versions of dependencies is Security 101
    2. I am a bug bounty hunter on hackerone.com. Most programs accept 0-day reports no earlier than after 30 days of publication. I've come across some instances of this and I want to report them and since I believe this is a 0-day I wanted to make it public for this reason.

    Best Regards,

    rhinestonecowboy

    opened by chilikeys 0
Releases(v0.6.1)
Owner
Postman Inc.
Postman Inc.
HTTP Request Smuggling Detection Tool

HTTP Request Smuggling Detection Tool HTTP request smuggling is a high severity vulnerability which is a technique where an attacker smuggles an ambig

Anshuman Pattnaik 282 Jan 3, 2023
Detects request smuggling via HTTP/2 downgrades.

h2rs Detects request smuggling via HTTP/2 downgrades. Requirements Python 3.x Python Modules base64 sys socket ssl certifi h2.connection h2.events arg

Ricardo Iramar dos Santos 89 Dec 22, 2022
EasyRequests is a minimalistic HTTP-Request Library that wraps aiohttp and asyncio in a small package that allows for sequential, parallel or even single requests

EasyRequests EasyRequests is a minimalistic HTTP-Request Library that wraps aiohttp and asyncio in a small package that allows for sequential, paralle

Avi 1 Jan 27, 2022
Screaming-fast Python 3.5+ HTTP toolkit integrated with pipelining HTTP server based on uvloop and picohttpparser.

Screaming-fast Python 3.5+ HTTP toolkit integrated with pipelining HTTP server based on uvloop and picohttpparser.

Paweł Piotr Przeradowski 8.6k Jan 4, 2023
Small, fast HTTP client library for Python. Features persistent connections, cache, and Google App Engine support. Originally written by Joe Gregorio, now supported by community.

Introduction httplib2 is a comprehensive HTTP client library, httplib2.py supports many features left out of other HTTP libraries. HTTP and HTTPS HTTP

null 457 Dec 10, 2022
A next generation HTTP client for Python. 🦋

HTTPX - A next-generation HTTP client for Python. HTTPX is a fully featured HTTP client for Python 3, which provides sync and async APIs, and support

Encode 9.8k Jan 5, 2023
Python requests like API built on top of Twisted's HTTP client.

treq: High-level Twisted HTTP Client API treq is an HTTP library inspired by requests but written on top of Twisted's Agents. It provides a simple, hi

Twisted Matrix Labs 553 Dec 18, 2022
Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more.

urllib3 is a powerful, user-friendly HTTP client for Python. Much of the Python ecosystem already uses urllib3 and you should too. urllib3 brings many

urllib3 3.2k Dec 29, 2022
Asynchronous HTTP client/server framework for asyncio and Python

Async http client/server framework Key Features Supports both client and server side of HTTP protocol. Supports both client and server Web-Sockets out

aio-libs 13.1k Jan 1, 2023
Python HTTP library with thread-safe connection pooling, file post support, user friendly, and more.

urllib3 is a powerful, user-friendly HTTP client for Python. Much of the Python ecosystem already uses urllib3 and you should too. urllib3 brings many

urllib3 3.2k Jan 2, 2023
Asynchronous Python HTTP Requests for Humans using Futures

Asynchronous Python HTTP Requests for Humans Small add-on for the python requests http library. Makes use of python 3.2's concurrent.futures or the ba

Ross McFarland 2k Dec 30, 2022
HTTP/2 for Python.

Hyper: HTTP/2 Client for Python This project is no longer maintained! Please use an alternative, such as HTTPX or others. We will not publish further

Hyper 1k Dec 23, 2022
🔄 🌐 Handle thousands of HTTP requests, disk writes, and other I/O-bound tasks simultaneously with Python's quintessential async libraries.

?? ?? Handle thousands of HTTP requests, disk writes, and other I/O-bound tasks simultaneously with Python's quintessential async libraries.

Hackers and Slackers 15 Dec 12, 2022
A Python obfuscator using HTTP Requests and Hastebin.

?? Jawbreaker ?? Jawbreaker is a Python obfuscator written in Python3, using double encoding in base16, base32, base64, HTTP requests and a Hastebin-l

Billy 50 Sep 28, 2022
Aiosonic - lightweight Python asyncio http client

aiosonic - lightweight Python asyncio http client Very fast, lightweight Python asyncio http client Here is some documentation. There is a performance

Johanderson Mogollon 93 Jan 6, 2023
A simple, yet elegant HTTP library.

Requests Requests is a simple, yet elegant HTTP library. >>> import requests >>> r = requests.get('https://api.github.com/user', auth=('user', 'pass')

Python Software Foundation 48.8k Jan 5, 2023
As easy as /aitch-tee-tee-pie/ 🥧 Modern, user-friendly command-line HTTP client for the API era. JSON support, colors, sessions, downloads, plugins & more. https://twitter.com/httpie

HTTPie: human-friendly CLI HTTP client for the API era HTTPie (pronounced aitch-tee-tee-pie) is a command-line HTTP client. Its goal is to make CLI in

HTTPie 25.4k Jan 1, 2023
A minimal HTTP client. ⚙️

HTTP Core Do one thing, and do it well. The HTTP Core package provides a minimal low-level HTTP client, which does one thing only. Sending HTTP reques

Encode 306 Dec 27, 2022
Fast HTTP parser

httptools is a Python binding for the nodejs HTTP parser. The package is available on PyPI: pip install httptools. APIs httptools contains two classes

magicstack 1.1k Jan 7, 2023