From b9d33c0618093b58603814c1499178d8feb81cda Mon Sep 17 00:00:00 2001 From: "windhamwong@nva-hk.com" Date: Tue, 4 Jul 2017 14:30:34 +0100 Subject: [PATCH] HTTP Gzip Decrypt working --- package.json | 1 + src/core/Utils.js | 20 ++++++++++++++++++++ src/core/config/Categories.js | 1 + src/core/config/OperationConfig.js | 7 +++++++ src/core/operations/Compress.js | 21 +++++++++++++++++++++ 5 files changed, 50 insertions(+) diff --git a/package.json b/package.json index 45e2dd79..006d6165 100644 --- a/package.json +++ b/package.json @@ -80,6 +80,7 @@ "lodash": "^4.17.4", "moment": "^2.17.1", "moment-timezone": "^0.5.11", + "pako": "^1.0.5", "sladex-blowfish": "^0.8.1", "sortablejs": "^1.5.1", "split.js": "^1.2.0", diff --git a/src/core/Utils.js b/src/core/Utils.js index 9b0d2a30..6e615efb 100755 --- a/src/core/Utils.js +++ b/src/core/Utils.js @@ -344,6 +344,26 @@ const Utils = { }, + /** + * Translates an array of bytes to a hex string. + * + * @param {byteArray} byteArray + * @returns {string} + * + * @example + * // returns "fe09a7" + * Utils.byteArrayToHex([0xfe, 0x09, 0xa7]); + */ + byteArrayToHexNoSpace: function(byteArray) { + if (!byteArray) return ""; + let hexStr = ""; + for (let i = 0; i < byteArray.length; i++) { + hexStr += Utils.hex(byteArray[i]); + } + return hexStr.slice(0, hexStr.length-1); + }, + + /** * Converts a string to a byte array. * Treats the string as UTF-8 if any values are over 255. diff --git a/src/core/config/Categories.js b/src/core/config/Categories.js index e31bbc60..a99e39f2 100755 --- a/src/core/config/Categories.js +++ b/src/core/config/Categories.js @@ -131,6 +131,7 @@ const Categories = [ ops: [ "HTTP request", "Strip HTTP headers", + "HTTP gzip decrypt", "Parse User Agent", "Parse IP range", "Parse IPv6 address", diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index b378854c..d1b5d835 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -1676,6 +1676,13 @@ const OperationConfig = { outputType: "string", args: [] }, + "HTTP gzip decrypt": { + description: "Decrypts Gzip payload from a request or response and returning plaintext of the header and decrypted payload.", + run: Compress.runHttpGzip, + inputType: "byteArray", + outputType: "byteArray", + args: [] + }, "Parse User Agent": { description: "Attempts to identify and categorise information contained in a user-agent string.", run: HTTP.runParseUserAgent, diff --git a/src/core/operations/Compress.js b/src/core/operations/Compress.js index 020d40cf..22414247 100755 --- a/src/core/operations/Compress.js +++ b/src/core/operations/Compress.js @@ -5,6 +5,7 @@ import zlibAndGzip from "zlibjs/bin/zlib_and_gzip.min"; import zip from "zlibjs/bin/zip.min"; import unzip from "zlibjs/bin/unzip.min"; import bzip2 from "exports-loader?bzip2!../lib/bzip2.js"; +import pako from "pako/index.js"; const Zlib = { RawDeflate: rawdeflate.Zlib.RawDeflate, @@ -254,6 +255,26 @@ const Compress = { }, + /** + * HTTP Gzip operation. + * + * @param {byteArray} input + * @param {Object[]} args + * @returns {byteArray} + */ + runHttpGzip: function(input, args) { + input = Utils.byteArrayToHexNoSpace(input); + + let regexStr = /1f8b080[0-8][0-9a-f]{12}/; + let gzipPos = input.search(regexStr); + let plainData = input.substr(0, gzipPos); + let gzipData = input.substr(gzipPos); + + gzipData = Utils.hexToByteArray(gzipData); + return Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(pako.ungzip(gzipData))); + }, + + /** * @constant * @default