HTTP Traceroute

• Home
• Projects
• Networking
• HTTP Traceroute

This project started life as an idea for an add-on to @christruncer's excelent EyeWitness. The idea is simple, take a URL that redirects and follow those redirects till you get to the final destination. At each stage show all headers, collect cookies, spot any redirects which have long bodies and comment on any invalid certificates seen. There is the option to save all cookies served and then replay them on a second run through.

The project is probably overkill for what is needed but ended up being a good way for me to practice using the net/http gem. The cookie support is through a gem called CookieJar however it has a number of bugs for which I've submitted fixes but, as of writing, my pull requests have not been accepted. Because of this, I've included my fork of the project as a library, if the pull requests are ever accepted then I'll remove it and tidy things up. Cookies are saved in a JSON file so can be viewed, and modified if required, then replayed for future runs. This can be useful if a site sets a cookie on the first visit then changes paths if it sees that cookie. There is also proxy support to allow bouncing through tools like Burp Suite.

If a HTTPS site is accessed the certificate is checked and a warning is given if it is invalid. A warning will also be given if the page doing the redirect is over a given size, by default this is set at 500 bytes but can be adjusted if required. This is useful to find where bodies are accidentally served along with the redirect headers.

By default the script will only run for a maximum of 10 redirects and will then give up, this is designed to prevent problems with redirect loops. Again this value can be increased if required.

Sample Output

Here is some sample output bouncing around one of my test domains.

./http_traceroute.rb http://cewl.dev/red.php -c demo.json

http_traceroute 0.1 Robin Wood (robin@digi.ninja) (http://digi.ninja)

************************************************************
Starting at: http://cewl.dev/red.php
************************************************************
Requesting: http://cewl.dev/red.php
Response code: 302

=======
Headers
=======
date: Sun, 02 Nov 2014 20:11:42 GMT
server: Apache
set-cookie: rewriteme=First+Value
set-cookie: leaveme=Alone
location: red2.php
content-length: 0
connection: close
content-type: text/html; charset=UTF-8

=======
Cookies
=======
rewriteme ; First+Value ; cewl.dev ; / ;  ;  ; Session
leaveme ; Alone ; cewl.dev ; / ;  ;  ; Session

===========
Redirecting
===========
Location: red2.php
Redirecting to: http://cewl.dev/red2.php

************************************************************
Requesting: http://cewl.dev/red2.php
Sending cookies: rewriteme=First+Value ; leaveme=Alone
Response code: 301

=======
Headers
=======
date: Sun, 02 Nov 2014 20:11:42 GMT
server: Apache
set-cookie: findme=cookie+value
set-cookie: rewriteme=Second+Value
set-cookie: secure=I+am+secure; secure
set-cookie: httponly=I+am+httponly; httponly
set-cookie: notsession=I+am+not+a+session; expires=Tue, 02-Dec-2014 20:11:42 GMT; Max-Age=2592000; httponly
location: /red3.php
content-length: 35
connection: close
content-type: text/html; charset=UTF-8

=======
Cookies
=======
findme ; cookie+value ; cewl.dev ; / ;  ;  ; Session
rewriteme ; Second+Value ; cewl.dev ; / ;  ;  ; Session
secure ; I+am+secure ; cewl.dev ; / ; Secure ;  ; Session
httponly ; I+am+httponly ; cewl.dev ; / ;  ; httpOnly ; Session
notsession ; I+am+not+a+session ; cewl.dev ; / ;  ; httpOnly ; 2014-12-02 20:11:42 +0000

===========
Redirecting
===========
Location: /red3.php
Redirecting to: http://cewl.dev/red3.php

************************************************************
Requesting: http://cewl.dev/red3.php
Sending cookies: rewriteme=Second+Value ; leaveme=Alone ; findme=cookie+value ; httponly=I+am+httponly ; notsession=I+am+not+a+session
Response code: 302

=======
Headers
=======
date: Sun, 02 Nov 2014 20:11:42 GMT
server: Apache
location: http://digi.ninja
content-length: 1303
connection: close
content-type: text/html; charset=UTF-8

=======
Cookies
=======

===========
Redirecting
===========
*** Large body on redirect - length: 1303 ***
Location: http://digi.ninja
Redirecting to: http://digi.ninja

************************************************************
Requesting: http://digi.ninja
Response code: 200

=======
Headers
=======
date: Sun, 02 Nov 2014 20:10:35 GMT
server: Apache
vary: Accept-Encoding
content-length: 2545
connection: close
content-type: text/html

=======
Cookies
=======

===============
End of the line
===============

==========================
Cookies saved to demo.json
==========================

The cookies from this run were saved to a file, here is the JSON.

{
	"json_class":"CookieJar::Jar","cookies":"[
		{\"name\":\"rewriteme\",\"value\":\"Second+Value\",\"domain\":\"cewl.dev\",\"path\":\"/\",\"created_at\":\"2014-11-02 20:11:42 +0000\",\"json_class\":\"CookieJar::Cookie\"},
		{\"name\":\"leaveme\",\"value\":\"Alone\",\"domain\":\"cewl.dev\",\"path\":\"/\",\"created_at\":\"2014-11-02 20:11:42 +0000\",\"json_class\":\"CookieJar::Cookie\"},
		{\"name\":\"findme\",\"value\":\"cookie+value\",\"domain\":\"cewl.dev\",\"path\":\"/\",\"created_at\":\"2014-11-02 20:11:42 +0000\",\"json_class\":\"CookieJar::Cookie\"},
		{\"name\":\"secure\",\"value\":\"I+am+secure\",\"domain\":\"cewl.dev\",\"path\":\"/\",\"created_at\":\"2014-11-02 20:11:42 +0000\",\"secure\":true,\"json_class\":\"CookieJar::Cookie\"},
		{\"name\":\"httponly\",\"value\":\"I+am+httponly\",\"domain\":\"cewl.dev\",\"path\":\"/\",\"created_at\":\"2014-11-02 20:11:42 +0000\",\"http_only\":true,\"json_class\":\"CookieJar::Cookie\"},
		{\"name\":\"notsession\",\"value\":\"I+am+not+a+session\",\"domain\":\"cewl.dev\",\"path\":\"/\",\"created_at\":\"2014-11-02 20:11:42 +0000\",\"expiry\":2592000,\"http_only\":true,\"json_class\":\"CookieJar::Cookie\"}
	]"
}

As you can see we got a 302 followed by a 301 then another 302 and finally ended up at the destination with a 200. Six cookies are collected on the way, a mix of session and persistent and with both HTTPOnly and Secure flags. The page http://cewl.dev/red3.php has a long body which would be worth investigating.

The cookies are stored in a nice easy way to view and modify if you need to replay them or take them elsewhere.

Download

• 28 Feb 2016 - Download HTTP Traceroute 1.1
• 01 Nov 2014 - Download HTTP Traceroute 1.0

If you'd like to try a version written in Go, try this from @PaulWebSec.

Bugs/Comments

Any bugs, comments, feature requests let me know.