Support for Unstructured HTTP Headers in Lotus Project

[knassar702]

There is a need for the Lotus project to handle unstructured HTTP headers, specifically for cases like Host header injection. One way to bypass this vulnerability is to include two Host headers in the request. For example:

 Host: target.com
Host: attacker.com

In some tools like Burp Suite, it is unclear whether they allow this behavior, but in the Requester tab, it is possible to achieve this. However, in ZAP Proxy, changing the host header is currently not supported. During a conversation with Simon ( ZAPROXY lead team @psiinon), he mentioned that they are working on a new network layer to address this limitation, which is a positive step. It would be beneficial for the Lotus project to also incorporate a similar feature.

Unfortunately, the current HTTP library used by Lotus cannot handle these types of unstructured requests. Therefore, I will create an issue on the GitHub repository of the library. If the development team is unable to implement this functionality, we might consider forking the library and adding the necessary features ourselves.

[knassar702]

I've forked the reqwest crate to disable the newline headers protection

local headers = {}
headers["TEST"] = "hello\n\nHAHA"
http:send  {url = url, headers= headers}