From ece8e7bcbbd1b40a7fe2b355dc499a1447008231 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <990588+hannob@users.noreply.github.com>
Date: Sat, 27 Jul 2024 09:20:02 +0200
Subject: [PATCH] add POST check for debugging console from laravel, symfony,
 and rails

---
 TESTS.md     |  8 ++++++++
 snallygaster | 18 ++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/TESTS.md b/TESTS.md
index d13b1e3..fa17e43 100644
--- a/TESTS.md
+++ b/TESTS.md
@@ -418,6 +418,14 @@ about possibly installed software on a developer machine or file names. Impact i
 usually low, but it is very common.
 
 
+postdebug
+---------
+
+Some web frameworks show a debugging console when they receive an unexpected HTTP
+method. This can often be triggered by sending a POST request to the main page. This
+test looks for such debugging consoles from Laravel, Symfony, and Rails.
+
+
 axfr
 ----
 
diff --git a/snallygaster b/snallygaster
index 4821e7b..7d4bd4d 100755
--- a/snallygaster
+++ b/snallygaster
@@ -785,6 +785,24 @@ def test_desktopini(url):
         pout("desktopini", url + "/Desktop.ini")
 
 
+@DEFAULT
+def test_postdebug(url):
+    try:
+        r = pool.request("POST", url, retries=False, redirect=False)
+        data = r.data.decode("ascii", errors="ignore")
+        if (
+            "The POST method is not supported for" in data
+            and "Symfony\\Component\\HttpKernel\\Exception" in data
+        ):
+            pout("postdebug_laravel", url + " POST")
+        elif "Symfony Exception" in data and '<div class="exception-' in data:
+            pout("postdebug_symfony", url + " POST")
+        elif "<title>Action Controller: Exception caught" in data:
+            pout("postdebug_rails", url + " POST")
+    except (urllib3.exceptions.HTTPError, UnicodeError, ConnectionRefusedError):
+        pass
+
+
 @DEFAULT
 @HOSTNAME
 def test_axfr(qhost):