Full power of pathoc


#1

After reading http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html.
I wanted to do
$ pathoc google.com get:@tester.com

But I get an error as below. It seems we cannot start a path with ‘@’ symbol. Or Am I doing something wrong. Pathoc seems really powerful feature to test HTTP protocol/servers but this seems to not work.


(venv) mitmproxy manish $ pathoc google.com get:@tester.com
Error parsing request spec: Expected {{‘wf’ Suppress:([":"]) [{Suppress:([":"]) {{Suppress:(“c”) {‘binary’ | ‘text’ | ‘ping’ | ‘continue’ | ‘close’ | ‘pong’ | integer}} | {Suppress:(“l”) integer} | {["-"] Suppress:(“fin”)} | {["-"] Suppress:(“rsv1”)} | {["-"] Suppress:(“rsv2”)} | {["-"] Suppress:(“rsv3”)} | {["-"] Suppress:(“mask”)} | {Suppress:(“p”) {integer | “r” | “a”} Suppress:(",") {integer | “f”}} | {Suppress:(“d”) {integer | “r” | “a”}} | {Suppress:(“i”) {integer | “r” | “a”} Suppress:(",") {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}} | ‘knone’ | {Suppress:(“k”) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}}} | {Suppress:(“x”) integer} | {Suppress:(“b”) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}}} | {Suppress:(“r”) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}}} | {Suppress:(“f”) {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}}}]…} ^ {{{‘ws’ [{Suppress:([":"]) {‘GET’ | ‘HEAD’ | ‘POST’ | ‘PUT’ | ‘DELETE’ | ‘OPTIONS’ | ‘TRACE’ | ‘CONNECT’ | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}}]} | {‘GET’ | ‘HEAD’ | ‘POST’ | ‘PUT’ | ‘DELETE’ | ‘OPTIONS’ | ‘TRACE’ | ‘CONNECT’ | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}} Suppress:([":"]) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} [{Suppress:([":"]) {{Suppress:(“h”) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}} Suppress:("=") {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}} | {Suppress:(“c”) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}}} | {Suppress:(“u”) {‘a’ | ‘l’ | ‘b’ | ‘c’ | ‘f’ | ‘g’ | ‘i’ | ‘p’ | ‘h’ | ‘s’ | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}} | ‘r’ | {Suppress:(“s”) {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}} | {Suppress:(“b”) {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}}} | {Suppress:(“x”) integer} | {Suppress:(“p”) {integer | “r” | “a”} Suppress:(",") {integer | “f”}} | {Suppress:(“d”) {integer | “r” | “a”}} | {Suppress:(“i”) {integer | “r” | “a”} Suppress:(",") {{{Suppress:("@") integer} [{“k” | “b” | “m” | “t” | “g”}] [{Suppress:(",") {“digits” | “ascii_lowercase” | “whitespace” | “ascii_letters” | “punctuation” | “bytes” | “hexdigits” | “ascii_uppercase” | “ascii” | “octdigits”}}]} | {Suppress:("<") {quoted string, starting with " ending with " | quoted string, starting with ’ ending with ’ | W:(0123…)}} | {quoted string, starting with " ending with " | quoted string, starting with ’ ending with '}}}}}]…}}
get:@tester.com
^


#2

I realized it is due to ‘@100’ type of feature. Maybe we should add a flag to disable the interpretation of ‘@’ or such symbols. While at it, we can perhaps support any text in place of GET method.

EDIT: created a feature request: https://github.com/mitmproxy/mitmproxy/issues/2497