Metasploit/EvasionOptions/HTTP::chunked

Chunked encoding is defined in the HTTP specification. Chunked encoding modifies the body of an HTTP message in order to transfer it as a series of pieces or "chunks" of various sizes. The size of each chunk is defined by its own size indicator. A chunked HTTP message is followed by an OPTIONAL trailer containing entity-header fields. Metasploit has the option of turning on chunked HTTP encoding for filter evasion. Most modern filters will, of course, sew the chunks back up into complete messages. This still serves a useful purpose of ensuring that filters are working as they should and that they are not vulnerable to any of the DOS bugs that have been found in filter handling of chunked HTTP.

Example of regular HTTP message: HTTP/1.1 200 OK Date: Fri, 31 Dec 1999 23:59:59 GMT Content-Type: text/plain Content-Length: 42 some-footer: some-value another-footer: another-value

This is a long string of suspect content that a filter or string search might flag


Example of a chunked HTTP message:

   HTTP/1.1 200 OK
   Date: Fri, 31 Dec 1999 23:59:59 GMT
   Content-Type: text/plain
   Transfer-Encoding: chunked
   
   1a; ignore-stuff-here
   This is a long string
   10
   of suspect content that a fi 
   10
   lter or string search might
   10
   flag
   0
   some-footer: some-value
   another-footer: another-value
   [blank line here]