http-garden: Differential testing and fuzzing of HTTP servers and proxies

The HTTP Garden

The HTTP Garden is a collection of HTTP servers and proxies configured to be composable, along with scripts to interact with them in a way that makes finding vulnerabilities much easier. For some cool demos of the vulnerabilities that you can find with the HTTP Garden, check out our ShmooCon 2024 talk.

Directory Layout

images

The images directory contains a subdirectory for each HTTP server and transducer in the Garden. Each target gets its own Docker image. All programs are built from sources inside Docker images based on Debian Bookworm when possible. So that we can easily build multiple versions of each target, nearly all targets have an APP_VERSION build argument which can usually be set to any tag, branch, or commit hash from the project’s repository.

tools

The tools directory contains the scripts that are used to interact with the servers.

Containers

HTTP Servers

Name Version Traced?
aiohttp master yes
apache trunk yes
bun main no
cherrypy main no
daphne main yes
deno main no
fasthttp master no
go_net_http master no
gunicorn master no
h2o master yes
hyper master no
hypercorn main no
jetty jetty-12.0.x no
libevent master no
libsoup master no
lighttpd master yes
mongoose master yes
nginx default yes
nodejs main no
ols 1.7.19 no
passenger stable-6.0 no
proxygen main no
puma master no
tomcat main no
tornado master yes
uhttpd master yes
unicorn master no
uvicorn master yes
waitress main yes
webrick master no
werkzeug main no

HTTP Proxies

Name Version
apache_proxy trunk
ats master
caddy_proxy master
h2o_proxy master
haproxy master
nghttpx master
nginx_proxy default
ols_proxy 1.7.19
pound master
squid master
varnish master

WIP/Unused Targets

Name Reason
beast Resource leak in harness
mako Can’t figure out how to read an arbitrary message body.
nghttp2 Only speaks HTTP/2
thin Doesn’t understand chunked bodies
uwsgi Doesn’t understand chunked bodies
nginx_unit I don’t remember
civetweb WIP
caddy Uses Go net/http under the hood
daedalus Really slow to build and requires an annoying script
wsgiref Wasn’t responding to requests from outside the container
envoy Takes 10,000 years to build
traefik Long build times; uses Go net/http under the hood

External Targets

If you have external services (probably CDNs or servers that you can’t run in Docker) that you want to add to the Garden, we do support that. See the bottom of external-services.yml for some more details on that.

Install & Use

Copyright (C) 2024 narfindustries