Archibald is my attempt at learning Rust and writing a HTTP 1.1 web server.

Last update: May 21, 2022

Oh hello

Archibald

To be a butler, is to be able to maintain an even-temper, at all times. One must have exceptional personal hygiene and look sharp and professional, always. Even when under stress or scrutiny, a butler must remain calm and lead their team through the difficulties.

Archibald is my attempt at learning Rust and writing a HTTP 1.1 web server.

Architecture

We shall be adopting the KISS approach to building things. I mean how hard is parsing modern web languages and content?

Threat Modeling

Oh hello

I'm sure no-one will dare to attack this, but just in case, we shall be performing a threat modeling exercise so we understand the threats and code appropriate countermeasures.

Oh hello

How Does HTTP Actually Work?

For those who aren't aware, Hypertext Transfer Protocol (HTTP) is a layer 7 (application) protocol. The whole thing works by requests and responses, the latter being accepted by a server, which provides the answer. HTTP is stateless and this makes it more fun in a way.

It all looks like this:

[email protected] ~/Code/Archibald -> main -> nc -vv nsa.gov 80
Notice: Real hostname for nsa.gov [23.63.141.16] is a23-63-141-16.deploy.static.akamaitechnologies.com
nsa.gov [23.63.141.16] 80 (http) open
GET / HTTP/1.1

That's connecting to the server, on port 80 and asking for the index. It responds:

Reference #9.1ef01602.1651584968.16093878 Total received bytes: 419 Total sent bytes: 16">
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 209
Expires: Tue, 03 May 2022 13:36:08 GMT
Date: Tue, 03 May 2022 13:36:08 GMT
Connection: close


Invalid URL

Invalid URL

The requested URL "[no URL]", is invalid.

Reference #9.1ef01602.1651584968.16093878 Total received bytes: 419 Total sent bytes: 16

Understanding HTTP Messages

There are two types of HTTP messages, requests and responses, each with its own format.

Requests

GET (Method) / (Path) HTTP /1.1 (Protocol Version)

Responses

HTTP/1.0 (Protocol Version) 400 (Status Code) Bad Request (Status Message)

We need to model the data and understand how best to handle said data. Using the above requests and responses, the data we should expect from a client is:

GET /user/ID/7 HTTP/1.1\r\n
Host: nsa.gov
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate

In order to accept and process the request (the GET method), we'd need to store this into a struct of sorts and using the above method, path, protocol, status code, status message, it should handle it properly and in a secure way.

This might look like:

struct Request {
    // We need to store the request body
    method: String,
    query: String,
    path: String,
    body: String,
    statuscode: u16,
    statusmessage: String,
}

The above looks good but actually could introduce a bug, for example the HTTP method option could be abused to include payloads other than POST, GET, PUT, PATCH, OPTIONS and DELETE. This needs to be taken into account when designing this struct.

Digging into Rust's capability, it looks like we can solve this by using the enum function.

enum Allowedmethods {
    GET,
    POST,
    PUT,
    DELETE,
    HEAD,
    OPTIONS,
    PATCH,
    TRACE,
    CONNECT,
}

The pentesters reading this will probably be screaming at me for including OPTIONS and TRACE, but hey you need report fodder right?

But what happens when someone decides to break the rules and not supply any query string? what sick bastard would do that right?

Normally you would use a NULL but Rust doesn't have that but does have an enum called Option, which can encode the concept of a value being present or absent. Without this, it would probably lead to a Null-pointer dereference vulnerability of sorts.

Disclaimer

This will not be production ready, it might eat your children and cause you to like Lotus Notes. I'm not professing to be an expert in Rust and therefore treat this as pretty dodgy.

GitHub

https://github.com/danielcuthbert/archibald
You might also like...

RUSTENGINE is the high-assurance HTTP server.

RUSTENGINE Table of Contents RUSTENGINE Table of Contents About RUSTENGINE Inspiration with Rust Features Compares with Nginx Build & Run About this R

Aug 27, 2021

A synchronous HTTP server built on hyper.

Astra Astra is a synchronous HTTP server built on top of hyper. use astra::{Body, Response, Server}; fn main() { Server::bind("localhost:3000")

May 26, 2022

Actix Web is a powerful, pragmatic, and extremely fast web framework for Rust.

Actix Web Actix Web is a powerful, pragmatic, and extremely fast web framework for Rust Features Supports HTTP/1.x and HTTP/2 Streaming and pipelining

May 28, 2022

Salvo is a powerful and simplest web server framework in Rust world

Salvo is a powerful and simplest web server framework in Rust world

Salvo is an extremely simple and powerful Rust web backend framework. Only basic Rust knowledge is required to develop backend services.

May 24, 2022

A blazingly fast static web server with routing, templating, and security in a single binary you can set up with zero code. :zap::crab:

A blazingly fast static web server with routing, templating, and security in a single binary you can set up with zero code. :zap::crab:

binserve ⚡ 🦀 A blazingly fast static web server with routing, templating, and security in a single binary you can set up with zero code. 🔥 UPDATE: N

May 23, 2022

Simple and fast web server

see Overview Simple and fast web server as a single executable with no extra dependencies required. Features Built with Tokio and Hyper TLS encryption

May 24, 2022

web browser as a language server

web browser as a language server

web-browser-lsp A toy program that implements a text-based web browser as a language server. Motivation My favorite progrmming tools are neovim, tmux

Mar 14, 2022

Live Server - Launch a local network server with live reload feature for static pages

Live Server - Launch a local network server with live reload feature for static pages

May 2, 2022

An HTTP library for Rust

hyper A fast and correct HTTP implementation for Rust. HTTP/1 and HTTP/2 Asynchronous design Leading in performance Tested and correct Extensive produ

May 26, 2022
Web Server made with Rust - for learning purposes

Web Server made with Rust - for learning purposes

Apr 25, 2022
Completely OBSOLETE Rust HTTP library (server and client)

OBSOLETION NOTICE This library is DEAD. It was a useful experiment and is now being replaced under the scope of the Teepee (experimentation grounds at

Dec 20, 2021
Host These Things Please - a basic http server for hosting a folder fast and simply

http Host These Things Please - a basic HTTP server for hosting a folder fast and simply Selected features See the manpage for full list. Symlinks fol

May 22, 2022
Add Facebook and Google authentication to your HTTP REST API in Actix-web

I created this project while learning Rust. Project shows how to handle Facebook and Google token verification in Rust using Actix-Web. Hope this help

May 16, 2022
OxHTTP is a very simple synchronous HTTP client and server

OxHTTP is a very simple synchronous implementation of HTTP 1.1 in Rust. It provides both a client and a server.

Jan 29, 2022
Simple http server in Rust (Windows/Mac/Linux)
Simple http server in Rust (Windows/Mac/Linux)

How it looks like? Screenshot Command Line Arguments Simple HTTP(s) Server 0.6.1 USAGE: simple-http-server [FLAGS] [OPTIONS] [--] [root] FLAGS:

May 22, 2022
Low level HTTP server library in Rust

tiny-http Documentation Tiny but strong HTTP server in Rust. Its main objectives are to be 100% compliant with the HTTP standard and to provide an eas

May 20, 2022
Akasio is a simple HTTP server that redirects traffic based on a JSON redirect table. This is its Rust implementation.

This page is inaccurate and is pending updates. Akasio (Rust) Description Akasio is a simple HTTP server that redirects traffic based on a JSON redire

May 2, 2022
Fully async-await http server framework

Saphir is a fully async-await http server framework for rust The goal is to give low-level control to your web stack (as hyper does) without the time

May 12, 2022
Node.js http server framework powered by Hyper native binding.

hnsjs POC project. Install this test package yarn add @hnsjs/core Support matrix node10 node12 node14 node15 Windows x64 ✓ ✓ ✓ ✓ Windows x32 ✓ ✓ ✓ ✓

Apr 24, 2022