http-garden: Differential testing and fuzzing of HTTP servers and proxies
The HTTP Garden
The HTTP Garden is a collection of HTTP servers and proxies configured to be composable, along with scripts to interact with them in a way that makes finding vulnerabilities much easier. For some cool demos of the vulnerabilities that you can find with the HTTP Garden, check out our ShmooCon 2024 talk.
Directory Layout
images
The images directory contains a subdirectory for each HTTP server and transducer in the Garden. Each target gets its own Docker image. All programs are built from sources inside Docker images based on Debian Bookworm when possible. So that we can easily build multiple versions of each target, nearly all targets have an APP_VERSION build argument which can usually be set to any tag, branch, or commit hash from the project’s repository.
tools
The tools directory contains the scripts that are used to interact with the servers.
Containers
HTTP Servers
| Name | Version | Traced? |
|---|---|---|
| aiohttp | master | yes |
| apache | trunk | yes |
| bun | main | no |
| cherrypy | main | no |
| daphne | main | yes |
| deno | main | no |
| fasthttp | master | no |
| go_net_http | master | no |
| gunicorn | master | no |
| h2o | master | yes |
| hyper | master | no |
| hypercorn | main | no |
| jetty | jetty-12.0.x | no |
| libevent | master | no |
| libsoup | master | no |
| lighttpd | master | yes |
| mongoose | master | yes |
| nginx | default | yes |
| nodejs | main | no |
| ols | 1.7.19 | no |
| passenger | stable-6.0 | no |
| proxygen | main | no |
| puma | master | no |
| tomcat | main | no |
| tornado | master | yes |
| uhttpd | master | yes |
| unicorn | master | no |
| uvicorn | master | yes |
| waitress | main | yes |
| webrick | master | no |
| werkzeug | main | no |
HTTP Proxies
| Name | Version |
|---|---|
| apache_proxy | trunk |
| ats | master |
| caddy_proxy | master |
| h2o_proxy | master |
| haproxy | master |
| nghttpx | master |
| nginx_proxy | default |
| ols_proxy | 1.7.19 |
| pound | master |
| squid | master |
| varnish | master |
WIP/Unused Targets
| Name | Reason |
|---|---|
| beast | Resource leak in harness |
| mako | Can’t figure out how to read an arbitrary message body. |
| nghttp2 | Only speaks HTTP/2 |
| thin | Doesn’t understand chunked bodies |
| uwsgi | Doesn’t understand chunked bodies |
| nginx_unit | I don’t remember |
| civetweb | WIP |
| caddy | Uses Go net/http under the hood |
| daedalus | Really slow to build and requires an annoying script |
| wsgiref | Wasn’t responding to requests from outside the container |
| envoy | Takes 10,000 years to build |
| traefik | Long build times; uses Go net/http under the hood |
External Targets
If you have external services (probably CDNs or servers that you can’t run in Docker) that you want to add to the Garden, we do support that. See the bottom of external-services.yml for some more details on that.
Install & Use
Copyright (C) 2024 narfindustries
