acidvegas/badtests
1
Fork 0
Code Issues Pull Requests Releases Activity
6 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
acidvegas b6b5e1c17c fixed ip parsing and logs page
2026-02-14 01:46:47 -05:00
badtests.py
fixed ip parsing and logs page
2026-02-14 01:46:47 -05:00
LICENSE
Initial commit
2026-02-14 00:27:10 -05:00
README.md
added browser hell test
2026-02-14 00:02:02 -05:00
results_curl.txt
Initial commit
2026-02-13 23:50:20 -05:00
results_python.txt
Initial commit
2026-02-13 23:50:20 -05:00
RESULTS.md
Initial commit
2026-02-14 00:27:48 -05:00
test.py
Initial commit
2026-02-13 23:50:20 -05:00
test.sh
Initial commit
2026-02-13 23:50:20 -05:00

README.md

badtests

A malicious HTTP response server for testing how different clients handle broken, malformed, and abusive HTTP responses. The goal is to compare how curl, Python HTTP libraries (urllib, http.client, requests, aiohttp), and web browsers react to protocol violations, edge cases, and deliberately hostile payloads.

What it does

badtests.py is a single-file HTTP server with 81 test endpoints. Each one returns a deliberately broken or abusive response targeting a specific aspect of HTTP handling. Categories include:

  • Content-Length violations (words, negatives, floats, NaN, mismatches)
  • Content-Type abuse (garbage, null bytes, emoji MIME types, CRLF injection)
  • Invalid status codes (negative, zero, five-digit, non-numeric)
  • Header abuse (64KB names, 1MB values, 1000 headers, duplicate Content-Length, null bytes)
  • Body abuse (infinite streams, missing bodies, binary as text/html)
  • Transfer-Encoding smuggling (CL+TE conflicts, invalid chunk sizes)
  • Protocol violations (raw garbage, empty responses, unknown HTTP versions)
  • Encoding mismatches (UTF-16 body with UTF-8 header, fake gzip)
  • Redirect abuse (self-loops, garbage URLs, infinite unique chains)
  • Timing attacks (slowloris headers, slow-drip bodies)
  • HTML edge cases (UTF-16LE pages, 1000-char titles, meta refresh loops)
  • Terminal abuse (ANSI escape code injection)
  • JavaScript browser attacks (alert loops, fork bombs, GPU killers, audio hell, tab bombs, clipboard hijack, cookie bombs, download spam, popup storms, ServiceWorker hijack)
  • Image/file abuse (bait-and-switch, SVG XSS, GIF/JS polyglots)
  • Network abuse (gzip bombs, SSE floods, MIME sniffing, cache poisoning, HSTS bombs)

The server also includes a /logs page that records every request with full headers, and a /fingerprint page for browser fingerprinting.

Running it

Start the server:

python3 badtests.py

It listens on port 60666. Open http://localhost:60666/ in a browser to see the full index of tests, or hit endpoints directly with curl.

Testing

test.sh runs every endpoint through curl and captures the output:

./test.sh localhost:60666

test.py runs every endpoint through urllib, http.client, requests, and aiohttp:

python3 test.py

Both scripts have timeouts and output caps to prevent hanging on infinite streams.

Results

Files

File Description
badtests.py The server. Single file, no dependencies beyond Python 3 stdlib.
test.sh Bash script to test all endpoints with curl.
test.py Python script to test all endpoints with urllib, http.client, requests, aiohttp.
RESULTS.md Detailed results and analysis of client behavior differences.
results_curl.txt Raw curl output from test.sh.
results_python.txt Raw output from test.py.
Reference in New Issue View Git Blame Copy Permalink
Description
Bad tests for curl, programming languages, & web browser behavior & reaction for various anomalies.
https://badtests.supernets.org
Readme ISC 159 KiB
Languages
Python 92.1%
Shell 7.9%