RFC: Improved HTTP API #14486
Replies: 3 comments 2 replies
-
Similar requests/issues:
|
Beta Was this translation helpful? Give feedback.
-
I know we haven't mentioned websockets, but if that's something we want to pursue I have a partial implementation using Rex. It might be useful as a starting point if we want websocket support as well. https://github.com/zeroSteiner/metasploit-framework/blob/feat/mod/jupyter-exec/lib/rex/proto/http/websocket.rb |
Beta Was this translation helpful? Give feedback.
-
This RFC didn't take into consideration the work of adding HTTP/3 support: I don't think the implementation is officially finalised just yet. But firefox supports it now for instance: https://hacks.mozilla.org/2021/04/quic-and-http-3-support-now-in-firefox-nightly-and-beta/ And from the wiki page:
From a quick glance it doesn't seem like there's too many popular webservers that support it just yet either |
Beta Was this translation helpful? Give feedback.
-
Problem
Web applications are becoming increasingly complex over time, and the need for more powerful HTTP support is required.
The current Metasploit Framework HTTP Client is particularly low-level particularly in contrast to modern HTTP libraries such as Python's requests, or Ruby's Faraday or Mechanize. This leads to dealing with a high level of complexity for 'simple' tasks such as session tracking, attempting to upload files with
Rex::MIME::Message
, or using brittle regex to extract information from HTTP response bodies.Solution
The Metasploit HTTP Client would be improved to provide first class support for 'modern' workflows:
client.post(...)
,client.get(...)
Simplified API for uploading filesImproved cookies/session tracking and supportif res && res.body
boilerplate in module code, ensure consistency across modules - both at the code level, as well as for end users may otherwise run intoundefined method body for nil:NilClass
exceptionsWebsocket supportSome of the above functionality would be implemented via the middleware pattern, which would additionally allow for future extensibility.
Further Considerations
The above solution may improve HTTP support initially, but still lacks the required functionality for interacting with complex web applications written in newer web frameworks such as Angular/React/etc.
These improvements to the HTTP client might also might also influence improvements to the FTP client functionality.
Beta Was this translation helpful? Give feedback.
All reactions