I am trying to format the CURL output like the "Follow TCP stream" option in
Ethereal.

EXAMPLE Ethereal output:

GET /search?q=curl HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, */*

Accept-Language: en-gb

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)

Host: www.google.com

Connection: Keep-Alive

Cookie:
PREF=ID=3d9ce029960f0ca4:TB=2:CR=1:TM=1079803564:LM=1112131361:C2COFF=1:GM=1
:S=RFcTkNUZLjMzpj4a

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: GWS/2.1

Transfer-Encoding: chunked

Content-Encoding: gzip

Date: Tue, 19 Apr 2005 20:04:04 GMT

658

...........W.s.6..=....(.`C..) z].Ms.K?....m=Y.m-.d$..R......IH.

.,.z....%i.....sF...d...gg.zG.?....*.a...U..t.........]...8B4'J3.?.........`
.c)..._.Q4.":S..G~l...}<..vb.\uM.M.E7..d...........I..D..f..h.cq&YPYH5|....;
a.

.bXpq..?O.w.C.....$....4..>.....a.SU.W....9.-.P./....

.:"..&.......M..Y...gJ.D..G.>..K.<.c..s`........g{..n.h..n..K$/....#...\..'.
m.p]..j(.`...@.........

.%...}..76..+.!..$.B~...s....cY$..n.e...t.rST.D.K#p..o.F......y(Xg.4@*.!....
.D.q.Xd.b..#T.bi.,k)`......X\..z..q..|g........t&`yR
....8R$r.jC.L..H13S..5c..5...M..'

@q.fE...M:....Ig%.n.K.1.Y......iw:.V.....+M.Y...<e......<

Z4..$V..k.+.\...........w..........|....F.-..H[v.....f....6..:.E.,C..z.k....
...U.. .)....B.>`fd.e..@....:J]."

t...9H

..%...5n ....s.X..+4[.n&.ZM......Vm.*.......QU?.<a.

....k.gW..*m.q...([EW.k.-.(.\Z....
).I...V.C..n.;..h.a..............x,U...#..."I...{."........R.L`.:...V...T.(.
..a.....2..8.^..f.v.^f...........0.i.\....>....#R@..KX..7....}jM...cx.;.G.~&
..'-..j..W..m..{...b....`o.....*...?..A..64.......

.Z..0A!.>.:9.e.UY.x..(4e..X{....H.X..e..!he...v0.A...

@]=.W..`....

O........?...}......X....-?..S..`dc.5...p...N.
Z..dl.;......:.....?...q....p..

....l.d....>.6..K^M.=..\..

.[t..4.......,..y..vXpz.....l.s....W..

..p......*.....I...D0....S...{[.B.4Lg...%..u

j..j...TyF..j.....r{.5=...-.l./6.9.....R{g....g.......o.]..0*.....rdI.m.6sW.
...Q...L[.[-Y...
.^[$+.CG..t.R.Z."....i.u....-8..P.._...N(.\..rU%..d8...X.L...."n3..v.$..E53.
..p.....R^ W.q....Q.Z..c.#k....n...7................z...

..MUpb+y.,..8.V... ....6#....:MW4l..fwr#...#.\.AY...q{.N^...^..
Vwk.......W.'..Q.....l%..g...pk.....?j...........................r.q.......

8b7

.[.o"9..}...|9.>4M....$+&!7d.,.c.Z.".m..~.v7....We......YiBHc......\5fvFw..v
.....j.^w..'.]..Zuj....|.d..

$.P.....4..8.U'.l...-...I...(.....z.....p*.Q..7J..$...">...l.._.H.o...?....N
...E.i
.LH.2P..J]..^..D....u.pD.1q...\1^0F;..3<1.....&.gx[..5e...........'.....?%Q.
....!}~.%+BH..X2..A..0o..d....OV..#.*..]e.

\...^%.-^D.d..$..C...

.$&...;..f.)0.%..1.(.....9.".l..z.PD0.......g.x.....~.?..{.c.."......E.;..z.
......V.^..P....ss..R .\.._

...R)...If......~N^.^.F.kv.Z..M.)...7L.!;..^~.2./....ifC.-......vq.Q..Us.+H.
_@"<.17+.......BCh<'...j>frp......Dl.....@. ...&t.tU..U
.F.Zp.....2....N.RP..:.......4_..0.N../..T.6...F.o......cND.C.a.=.......h.2.
....,...o.e......>w.j.Kw.|xX._..."1..5X.../.nT..oQ3*.|.o...a"..;>I.Q..39...9
.....J...m _...0 .H'plXW..y..-.#..g...LL..8#._at_t.....E.b..,.

q..S}D.`...=q..us.7...b$1H..>.....J..............q...W+uX.[p...i......4.E..;
#}[..:..c....U3.Z...H.0n.>.....A..........C.IGz..U.K.../}.p..P......K*y.+..G
.....[.8.Q.ii.{<...1W...0Z..>.a, ......hV..x|0@.&..W:.....
...AR......wrs...[>.."

 p>.$}.Oh0[.;..

_Y....b.........ha..0

..#.O.a..D."x.fi.E..Dp.r.X..zZd.".s...a2!.........0..[K#...rs...*..z........
Jo.AP.V........H..m`U.X.>.NI.1Y.....*w.~hF.La.].

b.>].....E....x....7HD.......]..(.....,.`I....o.|Hu..A.<3.#...z..rH...E...N.
..v.....-..|....!Y*....s...3.?..ih.7. .L+.'..'.s....fn..o......%.....
.X..5..lAj.t...._1.3.4.=...O.f..H.J..;(...rU...5.....f....@@1u

Wo]..(.....$=\r....
.....u]P$...........MLY..iCL...3.i.<.`"D2E...$\.t_at_z..........

.V(..
..]..1.V...rB............9.....!..s..]".3rA!t.O..._'.{fUOR.h.!q8...A...>.R".
#.C....g..{}4......../bl!..
..H`%...6.....:.....B.........U..]....>M....#%<..3......b_....9.-R.......'..
M+...4"W4p8.N%[.V...i....VtJZFQ:X..c+...ec.*..f....[%.........p....Y_......)
8>18..!~..v.MTf.5.\....r.......mg4.[&V.......X.%xa.T-./.,...X.*/.+.W*....v.v
..9........l.....ZY.1..=..q...T.t.NU...q.....jngs^....zY_....)Ts.BD}..U.....
*...).4{....
.":+.T...A....I.I............=...bEmO+j.Xq.....XQ...z.V4.......=.h.b...V..b.
...f..........+...j...|=....F

..L.y....{O.K.!*.....-;.6...f....R..|.+:O2Ao..b.!!^.........Y.m.z..xlj..nn.Z
...}O.s...N.=..

^/.&2

<+....S...S...Y..P..z.z#.z....)>*..?...h...y|...M.U]3....e1X.V./...._..+.X[y
...WG..$8{.....K.%Pt9.,.W.....$...9.).Y]S.}..]OKr.

.......

9e

..d.`..Q.5.

.2&..bDh.:z....8..+A.uA..6..i.C.......h.]j.0....6U.....s.1.C..
MN..xjq1DGp~N)x..M.>xI.$........o...{...`....w[i

.........>h..................1&7..

0

What is required in penetration testing is to capture the complete request
and reply as above to the same file:

1. HTTP request sent
2. HTTP reply received
3. The raw data

At the moment point 2 & 3 ( -i) are covered by CURL but having point 1 (
--trace-ascii) sent to another file is not feasible when trying to match up
the results of 255 attempts.

This is an example script that "fuzzes" the input of $quantity. It cycles
through all 255 characters and captures the output.

EXAMPLE SCRIPT:

#!/bin/sh

quantity=0

while [ $quantity -le 255 ] ; do

        CHAR=`printf "%%%02X" $quantity`

        echo -e "$CHAR *******************************\n\n\n" >>
shopping.txt

curl -v -i \

        -d 'item=Rolex+Daytona' \

        -d quantity=$CHAR \

        -d 'price=%A379.99'\

        -d 'buy=BUY' \

        --url http://192.168.0.7/cgi-bin/shopping.pl >> shopping.txt

        echo -e "***********************************\n\n" >> shopping.txt

        quantity=`expr $quantity + 1`

done

exit

Please can you help?

  _____

On Tue, 19 Apr 2005, RSN wrote:

> Is it possible to add the HTTP Request feature to the -i option in a
future
> release or is there a technical reason why this can't be added?

There's no technical reason, no, since the info is available. But I don't
see
why you need a new option for this.

> This would be an invaluable feature in Web Application testing. The
> -trace-ascii option is close but not practical to have it output to a
> separate file.

Why not? You can even pass it to stdout as well if that suits you better.

I think I would get a better understanding of what you're asking for if you
could explain your use case a bit more.

--