Cokies suite

Author: MDA2AV

docs/content/cookies/_index.md

@@ -0,0 +1,64 @@
+---
+title: Cookies
+layout: wide
+toc: false
+---
+
+## Cookie Handling
+
+These tests check how servers and frameworks handle adversarial `Cookie` headers. Cookie parsing is done at the framework level, not by application code, so malformed cookies can crash parsers or produce mangled values before your code ever runs. All cookie tests are **unscored** since cookies are governed by RFC 6265, not RFC 9110/9112.
+
+<style>h1.hx\:mt-2{display:none}.probe-hint{background:#ddf4ff;border:1px solid #54aeff;border-radius:6px;padding:10px 14px;font-size:13px;color:#0969da;font-weight:500}html.dark .probe-hint{background:#1c2333;border-color:#1f6feb;color:#58a6ff}</style>
+<div style="display:grid;grid-template-columns:repeat(3,1fr);gap:10px;margin-bottom:16px;">
+<div class="probe-hint"><strong style="font-size:14px;">Server Name</strong><br>Click to view Dockerfile and source code</div>
+<div class="probe-hint"><strong style="font-size:14px;">Table Row</strong><br>Click to expand all results for that server</div>
+<div class="probe-hint"><strong style="font-size:14px;">Result Cell</strong><br>Click to see the full HTTP request and response</div>
+</div>
+
+<div class="probe-filters">
+<div id="lang-filter"></div>
+<div id="method-filter"></div>
+<div id="rfc-level-filter"></div>
+</div>
+<div id="table-cookies"><p><em>Loading...</em></p></div>
+
+<script src="/Http11Probe/probe/data.js"></script>
+<script src="/Http11Probe/probe/render.js"></script>
+<script>
+(function () {
+  if (!window.PROBE_DATA) {
+    document.getElementById('table-cookies').innerHTML = '<p><em>No probe data available yet. Run the Probe workflow manually on <code>main</code> to generate results.</em></p>';
+    return;
+  }
+  var GROUPS = [
+    { key: 'echo', label: 'Echo-Based (Survivability)', testIds: [
+      'COOK-ECHO','COOK-OVERSIZED','COOK-EMPTY','COOK-NUL',
+      'COOK-CONTROL-CHARS','COOK-MANY-PAIRS','COOK-MALFORMED','COOK-MULTI-HEADER'
+    ]},
+    { key: 'parsed', label: 'Parsed Cookies (Framework Parser)', testIds: [
+      'COOK-PARSED-BASIC','COOK-PARSED-MULTI','COOK-PARSED-EMPTY-VAL','COOK-PARSED-SPECIAL'
+    ]}
+  ];
+
+  var ALL_IDS = [];
+  GROUPS.forEach(function (g) { g.testIds.forEach(function (tid) { ALL_IDS.push(tid); }); });
+
+  var langData = window.PROBE_DATA;
+  var methodFilter = null;
+  var rfcLevelFilter = null;
+
+  function rerender() {
+    var data = langData;
+    if (methodFilter) data = ProbeRender.filterByMethod(data, methodFilter);
+    if (rfcLevelFilter) data = ProbeRender.filterByRfcLevel(data, rfcLevelFilter);
+    var ctx = ProbeRender.buildLookups(data.servers);
+    ctx.testIds = ALL_IDS;
+    ProbeRender.renderSubTables('table-cookies', 'Cookies', ctx, GROUPS);
+  }
+  rerender();
+  var catData = ProbeRender.filterByCategory(window.PROBE_DATA, ['Cookies']);
+  ProbeRender.renderLanguageFilter('lang-filter', window.PROBE_DATA, function (d) { langData = d; rerender(); });
+  ProbeRender.renderMethodFilter('method-filter', catData, function (m) { methodFilter = m; rerender(); });
+  ProbeRender.renderRfcLevelFilter('rfc-level-filter', catData, function (l) { rfcLevelFilter = l; rerender(); });
+})();
+</script>

docs/content/docs/cookies/_index.md

@@ -0,0 +1,45 @@
+---
+title: Cookies
+description: "Cookies — Http11Probe documentation"
+weight: 13
+sidebar:
+  open: false
+---
+
+Cookie parsing is handled by framework-level parsers that run automatically on every request. Malformed `Cookie` headers can crash these parsers, cause memory issues, or produce mangled values. These tests check whether servers and frameworks survive adversarial cookie input.
+
+Cookies are defined by [RFC 6265](https://www.rfc-editor.org/rfc/rfc6265) (not RFC 9110/9112), so all tests are **unscored**.
+
+## Scoring
+
+All cookie tests are **unscored**:
+
+- **Pass** — Server handled the cookie input safely
+- **Warn** — Endpoint not available or non-ideal but non-dangerous behavior
+- **Fail** — Server crashed (500), preserved dangerous bytes, or lost data it should have parsed
+
+## Echo-Based Tests
+
+These tests target `/echo` and work on all servers. They check whether the server survives adversarial cookie headers without crashing.
+
+{{< cards >}}
+  {{< card link="echo" title="ECHO" subtitle="Basic Cookie header echoed back." >}}
+  {{< card link="oversized" title="OVERSIZED" subtitle="64KB Cookie header." >}}
+  {{< card link="empty" title="EMPTY" subtitle="Empty Cookie header value." >}}
+  {{< card link="nul" title="NUL" subtitle="NUL byte in cookie value." >}}
+  {{< card link="control-chars" title="CONTROL-CHARS" subtitle="Control characters in cookie value." >}}
+  {{< card link="many-pairs" title="MANY-PAIRS" subtitle="1000 cookie key=value pairs." >}}
+  {{< card link="malformed" title="MALFORMED" subtitle="Completely malformed cookie syntax." >}}
+  {{< card link="multi-header" title="MULTI-HEADER" subtitle="Two separate Cookie headers." >}}
+{{< /cards >}}
+
+## Parsed-Cookie Tests
+
+These tests target `/cookie` and check whether the framework's cookie parser correctly extracts key=value pairs. Servers without a `/cookie` endpoint return 404 (Warn).
+
+{{< cards >}}
+  {{< card link="parsed-basic" title="PARSED-BASIC" subtitle="Single foo=bar cookie parsed." >}}
+  {{< card link="parsed-multi" title="PARSED-MULTI" subtitle="Three cookies parsed from one header." >}}
+  {{< card link="parsed-empty-val" title="PARSED-EMPTY-VAL" subtitle="Cookie with empty value." >}}
+  {{< card link="parsed-special" title="PARSED-SPECIAL" subtitle="Spaces and = in cookie values." >}}
+{{< /cards >}}

docs/content/docs/cookies/control-chars.md

@@ -0,0 +1,45 @@
+---
+title: "CONTROL-CHARS"
+description: "COOK-CONTROL-CHARS test documentation"
+weight: 5
+---
+
+| | |
+|---|---|
+| **Test ID** | `COOK-CONTROL-CHARS` |
+| **Category** | Cookies |
+| **Scored** | No |
+| **Expected** | `400` (rejected) or `2xx` without control chars |
+
+## What it sends
+
+```http
+GET /echo HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Cookie: foo=\x01\x02\x03\r\n
+\r\n
+```
+
+A `Cookie` header containing control characters SOH (`0x01`), STX (`0x02`), and ETX (`0x03`) as the cookie value.
+
+## What the RFC says
+
+> "cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E" — RFC 6265 §4.1.1
+
+Control characters (`0x00-0x1F`) are explicitly excluded from the `cookie-octet` production. They are not valid in cookie values.
+
+## Why it matters
+
+Control characters in cookie values can cause:
+- **Log injection** — if the bytes reach log files, they may corrupt formatting or inject terminal escape sequences
+- **Parser confusion** — some parsers may interpret control characters as delimiters
+- **Security filter bypass** — WAFs may not inspect or sanitize non-printable bytes
+
+## Verdicts
+
+- **Pass** — `400` (rejected) or `2xx` with control characters stripped/cookie dropped
+- **Fail** — `2xx` with control characters preserved in the response body
+
+## Sources
+
+- [RFC 6265 §4.1.1](https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1) — cookie-octet definition

docs/content/docs/cookies/echo.md

@@ -0,0 +1,42 @@
+---
+title: "ECHO"
+description: "COOK-ECHO test documentation"
+weight: 1
+---
+
+| | |
+|---|---|
+| **Test ID** | `COOK-ECHO` |
+| **Category** | Cookies |
+| **Scored** | No |
+| **Expected** | `2xx` with `Cookie:` in echo body |
+
+## What it sends
+
+```http
+GET /echo HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Cookie: foo=bar\r\n
+\r\n
+```
+
+A standard request with a simple, valid `Cookie` header targeting the `/echo` endpoint.
+
+## What the RFC says
+
+> "When the user agent generates an HTTP request, the user agent MUST NOT attach more than one header field named Cookie." — RFC 6265 §5.4
+
+This test sends a single, well-formed `Cookie` header. It serves as a baseline to confirm the echo endpoint reflects cookie headers.
+
+## Why it matters
+
+This is the baseline cookie test. If the server cannot echo back a simple `Cookie: foo=bar` header, all other cookie tests are meaningless.
+
+## Verdicts
+
+- **Pass** — 2xx response with `Cookie:` visible in the echo body
+- **Fail** — No response, or 2xx without the cookie header in the body
+
+## Sources
+
+- [RFC 6265 §5.4](https://www.rfc-editor.org/rfc/rfc6265#section-5.4) — sending cookies

docs/content/docs/cookies/empty.md

@@ -0,0 +1,42 @@
+---
+title: "EMPTY"
+description: "COOK-EMPTY test documentation"
+weight: 3
+---
+
+| | |
+|---|---|
+| **Test ID** | `COOK-EMPTY` |
+| **Category** | Cookies |
+| **Scored** | No |
+| **Expected** | `2xx` or `400` |
+
+## What it sends
+
+```http
+GET /echo HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Cookie: \r\n
+\r\n
+```
+
+A `Cookie` header with an empty value (nothing after the colon and space).
+
+## What the RFC says
+
+> "cookie-header = 'Cookie:' OWS cookie-string OWS" — RFC 6265 §4.2
+
+An empty cookie-string does not match `cookie-pair *( ";" SP cookie-pair )` since `cookie-pair` requires at least a name. However, servers should handle this gracefully.
+
+## Why it matters
+
+Empty `Cookie` headers can trigger null-pointer dereferences or empty-string edge cases in cookie parsers. The test verifies the server doesn't crash.
+
+## Verdicts
+
+- **Pass** — `2xx` (accepted) or `400` (rejected gracefully)
+- **Fail** — `500` or connection crash
+
+## Sources
+
+- [RFC 6265 §4.2](https://www.rfc-editor.org/rfc/rfc6265#section-4.2) — cookie header syntax

docs/content/docs/cookies/malformed.md

@@ -0,0 +1,44 @@
+---
+title: "MALFORMED"
+description: "COOK-MALFORMED test documentation"
+weight: 7
+---
+
+| | |
+|---|---|
+| **Test ID** | `COOK-MALFORMED` |
+| **Category** | Cookies |
+| **Scored** | No |
+| **Expected** | `2xx` or `400` |
+
+## What it sends
+
+```http
+GET /echo HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Cookie: ===;;;\r\n
+\r\n
+```
+
+A `Cookie` header with completely invalid syntax — no valid cookie-name, only equals signs and semicolons.
+
+## What the RFC says
+
+> "cookie-pair = cookie-name '=' cookie-value" — RFC 6265 §4.1.1
+
+> "cookie-name = token" — RFC 6265 §4.1.1
+
+The value `===;;;` does not match the `cookie-pair` grammar. There is no valid `cookie-name` (an empty name before the first `=` is not a valid token).
+
+## Why it matters
+
+Framework cookie parsers must handle completely malformed cookie strings gracefully. This tests the worst-case scenario for parser resilience — the value bears no resemblance to valid cookie syntax.
+
+## Verdicts
+
+- **Pass** — `2xx` (survived) or `400` (rejected gracefully)
+- **Fail** — `500` or connection crash
+
+## Sources
+
+- [RFC 6265 §4.1.1](https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1) — cookie-pair syntax

docs/content/docs/cookies/many-pairs.md

@@ -0,0 +1,48 @@
+---
+title: "MANY-PAIRS"
+description: "COOK-MANY-PAIRS test documentation"
+weight: 6
+---
+
+| | |
+|---|---|
+| **Test ID** | `COOK-MANY-PAIRS` |
+| **Category** | Cookies |
+| **Scored** | No |
+| **Expected** | `2xx` or `400`/`431` |
+
+## What it sends
+
+```http
+GET /echo HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Cookie: k0=v0; k1=v1; k2=v2; ... ; k999=v999\r\n
+\r\n
+```
+
+A `Cookie` header containing 1000 semicolon-separated key=value pairs.
+
+## What the RFC says
+
+> "At least 50 cookies per domain." — RFC 6265 §6.1
+
+The practical limit of 50 cookies per domain is a user-agent guideline. Servers have no mandated limit, but 1000 pairs in a single header tests parser performance boundaries.
+
+## Why it matters
+
+Each cookie pair must be parsed, allocated, and stored in internal data structures. 1000 pairs can trigger:
+- **O(n) or O(n^2) parsing** in naive cookie parsers
+- **Memory exhaustion** from 1000 individual allocations
+- **Hash table collisions** in cookie lookup structures
+
+A well-behaved server should either parse all 1000 pairs or reject the oversized header.
+
+## Verdicts
+
+- **Pass** — `2xx` (survived) or `400`/`431` (rejected gracefully)
+- **Fail** — `500` or connection crash
+
+## Sources
+
+- [RFC 6265 §6.1](https://www.rfc-editor.org/rfc/rfc6265#section-6.1) — cookie limits
+- [RFC 6585 §5](https://www.rfc-editor.org/rfc/rfc6585#section-5) — 431 status code

docs/content/docs/cookies/multi-header.md

@@ -0,0 +1,47 @@
+---
+title: "MULTI-HEADER"
+description: "COOK-MULTI-HEADER test documentation"
+weight: 8
+---
+
+| | |
+|---|---|
+| **Test ID** | `COOK-MULTI-HEADER` |
+| **Category** | Cookies |
+| **Scored** | No |
+| **Expected** | `2xx` with both cookies |
+
+## What it sends
+
+```http
+GET /echo HTTP/1.1\r\n
+Host: localhost:8080\r\n
+Cookie: a=1\r\n
+Cookie: b=2\r\n
+\r\n
+```
+
+Two separate `Cookie` header lines in the same request.
+
+## What the RFC says
+
+> "If the user agent does attach a Cookie header field to an HTTP request, the user agent MUST NOT attach more than one header field named Cookie." — RFC 6265 §5.4
+
+> "If a server receives multiple Cookie header field lines in a single request... the server SHOULD treat them as if they had been sent as a single cookie-string separated by semicolons." — RFC 6265 §5.3 (revised in RFC 6265bis)
+
+While clients MUST NOT send multiple Cookie headers, servers should handle them gracefully by folding them together.
+
+## Why it matters
+
+Multiple `Cookie` headers can occur in practice through proxy manipulation or misconfigured middleware. A server that crashes or drops cookies when it sees duplicates is fragile. The ideal behavior is to fold them into a single cookie-string as RFC 6265bis recommends.
+
+## Verdicts
+
+- **Pass** — `2xx` with both `a=1` and `b=2` in the echo body
+- **Warn** — Only one cookie echoed, or `400` (rejected but didn't crash)
+- **Fail** — `500` or connection crash
+
+## Sources
+
+- [RFC 6265 §5.4](https://www.rfc-editor.org/rfc/rfc6265#section-5.4) — sending cookies
+- [RFC 6265 §5.3](https://www.rfc-editor.org/rfc/rfc6265#section-5.3) — cookie processing