hacktricks/pentesting-web/abusing-hop-by-hop-headers.md

# hop-by-hop headers

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **lengo la kukuza maarifa ya kiufundi**, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.

{% embed url="https://www.rootedcon.com/" %}

***

**Hii ni muhtasari wa chapisho** [**https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers**](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers)

Hop-by-hop headers ni maalum kwa muunganisho mmoja wa kiwango cha usafirishaji, zinazotumika hasa katika HTTP/1.1 kwa usimamizi wa data kati ya nodi mbili (kama mteja-proxy au proxy-proxy), na hazikusudiwi kuhamasishwa. Hop-by-hop headers za kawaida ni pamoja na `Keep-Alive`, `Transfer-Encoding`, `TE`, `Connection`, `Trailer`, `Upgrade`, `Proxy-Authorization`, na `Proxy-Authenticate`, kama ilivyoainishwa katika [RFC 2616](https://tools.ietf.org/html/rfc2616#section-13.5.1). Headers za ziada zinaweza kutengwa kama hop-by-hop kupitia header ya `Connection`.

### Abusing Hop-by-Hop Headers

Usimamizi usiofaa wa hop-by-hop headers na proxies unaweza kusababisha masuala ya usalama. Ingawa proxies zinatarajiwa kuondoa headers hizi, si zote hufanya hivyo, na kuunda uwezekano wa udhaifu.

### Testing for Hop-by-Hop Header Handling

Usimamizi wa hop-by-hop headers unaweza kupimwa kwa kuangalia mabadiliko katika majibu ya seva wakati headers maalum zimewekwa kama hop-by-hop. Zana na skripti zinaweza kuendesha mchakato huu, zikibaini jinsi proxies zinavyosimamia headers hizi na kwa uwezekano kufichua makosa au tabia za proxy.

Kukandamiza hop-by-hop headers kunaweza kusababisha athari mbalimbali za usalama. Hapa kuna mifano miwili inayoonyesha jinsi headers hizi zinavyoweza kudhibitiwa kwa mashambulizi yanayoweza kutokea:

### Bypassing Security Controls with `X-Forwarded-For`

Mshambuliaji anaweza kudhibiti header ya `X-Forwarded-For` ili kupita vizuizi vya ufikiaji vinavyotegemea IP. Header hii mara nyingi hutumiwa na proxies kufuatilia anwani ya IP ya mteja. Hata hivyo, ikiwa proxy inachukulia header hii kama hop-by-hop na kuhamasisha bila uthibitisho sahihi, mshambuliaji anaweza kuiga anwani yake ya IP.

**Kasi ya Shambulio:**

1. Mshambuliaji anatumia ombi la HTTP kwa programu ya wavuti nyuma ya proxy, akijumuisha anwani ya IP bandia katika header ya `X-Forwarded-For`.
2. Mshambuliaji pia anajumuisha header ya `Connection: close, X-Forwarded-For`, ikimlazimisha proxy kuchukulia `X-Forwarded-For` kama hop-by-hop.
3. Proxy iliyo na makosa inahamisha ombi kwa programu ya wavuti bila header ya `X-Forwarded-For` iliyopotoshwa.
4. Programu ya wavuti, isiyoona header ya asili ya `X-Forwarded-For`, inaweza kuzingatia ombi kama likitoka moja kwa moja kutoka kwa proxy iliyoaminika, na hivyo kuruhusu ufikiaji usioidhinishwa.

### Cache Poisoning via Hop-by-Hop Header Injection

Ikiwa seva ya cache inahifadhi maudhui kwa makosa kulingana na hop-by-hop headers, mshambuliaji anaweza kuingiza headers zenye uharibifu ili kuharibu cache. Hii itatoa maudhui yasiyo sahihi au yenye uharibifu kwa watumiaji wanaoomba rasilimali hiyo hiyo.

**Kasi ya Shambulio:**

1. Mshambuliaji anatumia ombi kwa programu ya wavuti yenye header ya hop-by-hop ambayo haipaswi kuhifadhiwa (mfano, `Connection: close, Cookie`).
2. Seva ya cache iliyo na makosa haiondoi header ya hop-by-hop na inahifadhi jibu maalum kwa kikao cha mshambuliaji.
3. Watumiaji wa baadaye wanaoomba rasilimali hiyo hiyo wanapata jibu lililohifadhiwa, ambalo lilikuwa limeandaliwa kwa mshambuliaji, na hivyo kuweza kusababisha kuibiwa kwa kikao au kufichuliwa kwa taarifa nyeti.

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **lengo la kukuza maarifa ya kiufundi**, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.

{% embed url="https://www.rootedcon.com/" %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`# hop-by-hop headers`

			`{% hint style="success" %}`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3622] No subject 2022-10-25 15:56:49 +00:00			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`[RootedCON](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.`

			`{% embed url="https://www.rootedcon.com/" %}`

			`***`

			`Hii ni muhtasari wa chapisho [https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers)`

			Hop-by-hop headers ni maalum kwa muunganisho mmoja wa kiwango cha usafirishaji, zinazotumika hasa katika HTTP/1.1 kwa usimamizi wa data kati ya nodi mbili (kama mteja-proxy au proxy-proxy), na hazikusudiwi kuhamasishwa. Hop-by-hop headers za kawaida ni pamoja na `Keep-Alive`, `Transfer-Encoding`, `TE`, `Connection`, `Trailer`, `Upgrade`, `Proxy-Authorization`, na `Proxy-Authenticate`, kama ilivyoainishwa katika [RFC 2616](https://tools.ietf.org/html/rfc2616#section-13.5.1). Headers za ziada zinaweza kutengwa kama hop-by-hop kupitia header ya `Connection`.
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00
			`### Abusing Hop-by-Hop Headers`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`Usimamizi usiofaa wa hop-by-hop headers na proxies unaweza kusababisha masuala ya usalama. Ingawa proxies zinatarajiwa kuondoa headers hizi, si zote hufanya hivyo, na kuunda uwezekano wa udhaifu.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`### Testing for Hop-by-Hop Header Handling`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`Usimamizi wa hop-by-hop headers unaweza kupimwa kwa kuangalia mabadiliko katika majibu ya seva wakati headers maalum zimewekwa kama hop-by-hop. Zana na skripti zinaweza kuendesha mchakato huu, zikibaini jinsi proxies zinavyosimamia headers hizi na kwa uwezekano kufichua makosa au tabia za proxy.`

			`Kukandamiza hop-by-hop headers kunaweza kusababisha athari mbalimbali za usalama. Hapa kuna mifano miwili inayoonyesha jinsi headers hizi zinavyoweza kudhibitiwa kwa mashambulizi yanayoweza kutokea:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			### Bypassing Security Controls with `X-Forwarded-For`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00
			Mshambuliaji anaweza kudhibiti header ya `X-Forwarded-For` ili kupita vizuizi vya ufikiaji vinavyotegemea IP. Header hii mara nyingi hutumiwa na proxies kufuatilia anwani ya IP ya mteja. Hata hivyo, ikiwa proxy inachukulia header hii kama hop-by-hop na kuhamasisha bila uthibitisho sahihi, mshambuliaji anaweza kuiga anwani yake ya IP.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`Kasi ya Shambulio:`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			1. Mshambuliaji anatumia ombi la HTTP kwa programu ya wavuti nyuma ya proxy, akijumuisha anwani ya IP bandia katika header ya `X-Forwarded-For`.
			2. Mshambuliaji pia anajumuisha header ya `Connection: close, X-Forwarded-For`, ikimlazimisha proxy kuchukulia `X-Forwarded-For` kama hop-by-hop.
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			3. Proxy iliyo na makosa inahamisha ombi kwa programu ya wavuti bila header ya `X-Forwarded-For` iliyopotoshwa.
			4. Programu ya wavuti, isiyoona header ya asili ya `X-Forwarded-For`, inaweza kuzingatia ombi kama likitoka moja kwa moja kutoka kwa proxy iliyoaminika, na hivyo kuruhusu ufikiaji usioidhinishwa.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`### Cache Poisoning via Hop-by-Hop Header Injection`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00
			`Ikiwa seva ya cache inahifadhi maudhui kwa makosa kulingana na hop-by-hop headers, mshambuliaji anaweza kuingiza headers zenye uharibifu ili kuharibu cache. Hii itatoa maudhui yasiyo sahihi au yenye uharibifu kwa watumiaji wanaoomba rasilimali hiyo hiyo.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`Kasi ya Shambulio:`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			1. Mshambuliaji anatumia ombi kwa programu ya wavuti yenye header ya hop-by-hop ambayo haipaswi kuhifadhiwa (mfano, `Connection: close, Cookie`).
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`2. Seva ya cache iliyo na makosa haiondoi header ya hop-by-hop na inahifadhi jibu maalum kwa kikao cha mshambuliaji.`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`3. Watumiaji wa baadaye wanaoomba rasilimali hiyo hiyo wanapata jibu lililohifadhiwa, ambalo lilikuwa limeandaliwa kwa mshambuliaji, na hivyo kuweza kusababisha kuibiwa kwa kikao au kufichuliwa kwa taarifa nyeti.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>`

			`[RootedCON](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.`

			`{% embed url="https://www.rootedcon.com/" %}`

Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`{% hint style="success" %}`
Translated ['generic-methodologies-and-resources/python/bypass-python-sa 2024-10-01 14:40:38 +00:00			`Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3622] No subject 2022-10-25 15:56:49 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['crypto-and-stego/cryptographic-algorithms/unpacking-binarie 2024-07-19 04:50:00 +00:00			`{% endhint %}`