GitBook: [#3655] No subject
BIN
.gitbook/assets/image (1) (3) (2) (1).png
Normal file
After Width: | Height: | Size: 176 KiB |
Before Width: | Height: | Size: 176 KiB After Width: | Height: | Size: 153 KiB |
Before Width: | Height: | Size: 153 KiB After Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 31 KiB After Width: | Height: | Size: 50 KiB |
10
README.md
|
@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
### [RootedCON](https://www.rootedcon.com/)
|
||||
|
||||
<figure><img src=".gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src=".gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||||
|
||||
|
@ -74,15 +74,15 @@ Get Access Today:
|
|||
**HackenProof is home to all crypto bug bounties.**
|
||||
|
||||
**Get rewarded without delays**\
|
||||
****HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
|
||||
\*\*\*\*HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
|
||||
|
||||
**Get experience in web3 pentesting**\
|
||||
****Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
|
||||
\*\*\*\*Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
|
||||
|
||||
**Become the web3 hacker legend**\
|
||||
****Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
|
||||
\*\*\*\*Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
|
||||
|
||||
[**Sign up on HackenProof**](https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA) to start earning from your hacks!
|
||||
[**Sign up on HackenProof**](https://hackenproof.com/register?referral\_code=i\_E6M25i\_Um9gB56o-XsIA) to start earning from your hacks!
|
||||
|
||||
{% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}
|
||||
|
||||
|
|
|
@ -498,6 +498,7 @@
|
|||
* [File Upload](pentesting-web/file-upload/README.md)
|
||||
* [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)
|
||||
* [Formula/CSV/Doc/LaTeX Injection](pentesting-web/formula-doc-latex-injection.md)
|
||||
* [HTTP Connection Contamination](pentesting-web/http-connection-contamination.md)
|
||||
* [HTTP Connection Request Smuggling](pentesting-web/http-connection-request-smuggling.md)
|
||||
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
|
||||
* [Browser HTTP Request Smuggling](pentesting-web/http-request-smuggling/browser-http-request-smuggling.md)
|
||||
|
|
|
@ -25,7 +25,7 @@ OMI is an [open-source](https://github.com/microsoft/omi) remote configuration m
|
|||
|
||||
When these services are configured, the omiengine process will listen on all interfaces and being running as the root user.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (1) (3) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Default port:** 5985(http), 5986(https)
|
||||
|
||||
|
|
77
pentesting-web/http-connection-contamination.md
Normal file
|
@ -0,0 +1,77 @@
|
|||
# HTTP Connection Contamination
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
**The content of this post was taken from** [**https://portswigger.net/research/http-3-connection-contamination**](https://portswigger.net/research/http-3-connection-contamination)****
|
||||
|
||||
Web browsers use [**HTTP connection coalescing**](https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing), which lets them **reuse** a single **HTTP/2+** **connection** for requests going to **different websites**, provided that the sites **resolve to the same IP** address and use a TLS certificate valid for both hostnames.
|
||||
|
||||
**First-request routing** is a dangerous reverse-proxy behaviour where the **proxy analyses the first request** on a connection to work out **which back-end end** to route it to, and then **sends** all **subsequent requests** on that connection to the **same back-end**.
|
||||
|
||||
**Connection coalescing and first-request routing do not play well together**. For example, imagine secure.example.com and wordpress.example.com are both sat behind a reverse proxy using a certificate valid for \*.example.com:
|
||||
|
||||
```shell-session
|
||||
$ nslookup wordpress.example.com
|
||||
52.16.179.7 // reverse proxy that supports HTTP/2 and does first-request routing
|
||||
|
||||
$ nslookup secure.example.com
|
||||
52.16.179.7 // same reverse proxy
|
||||
|
||||
$ openssl s_client -connect x.portswigger-labs.net:443
|
||||
subject=/CN=*.example.com // wildcard TLS certificate
|
||||
```
|
||||
|
||||
If a browser tries to send a **request to wordpress.example.com** **followed by secure.example.com**, browser connection coalescing will force **both requests down a single connection** to the front-end. First-request routing will result in the **request to secure.example.com incorrectly being routed to the WordPress back-end**. This means that if you find [XSS](https://portswigger.net/web-security/cross-site-scripting) on wordpress.example.com, you can use it to compromise secure.example.com!
|
||||
|
||||
```javascript
|
||||
// create HTTP/2+ connection
|
||||
fetch('https://wordpress.example.com/', {credentials: 'include'})
|
||||
|
||||
// connection coalescing will force this down the same connection...
|
||||
// ...leading to the front-end misrouting it to WordPress
|
||||
// the browser thinks our injected JS is coming from secure.example.com
|
||||
// exposing saved passwords, cookies, etc.
|
||||
location='https://secure.example.com/plugin/x?q=<script>stealPasswords()'
|
||||
```
|
||||
|
||||
You can **explore connection coalescing for yourself** by using the **Timing graph under the Network tab in Chrome's developer tools** (or using WireShark if you're a masochist). Issue request pairs using fetch() and see if the graph shows time spent on 'Initial connection' for the second request, and if the Connection ID column matches:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```javascript
|
||||
fetch('//sub1.hackxor.net/', {mode: 'no-cors', credentials: 'include'}).then(()=>{ fetch('//sub2.hackxor.net/', {mode: 'no-cors', credentials: 'include'}) })
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
I haven't invested the time required to explore this threat in depth or scan for it in the wild as I believe it's currently rare for two reasons. Firstly, first-request routing is relatively uncommon and HTTP/2's implementation complexity means there's only a small pool of unique HTTP/2 servers relative to HTTP/1.1. Secondly, connection coalescing means HTTP/2 servers performing first-request routing may intermittently break for genuine visitors, so the owners may end up fixing the vulnerability without attacker encouragement.
|
||||
|
||||
That said, it's not all bad news for attackers. **HTTP/3 proposes** [**removing the requirement for an IP address match**](https://www.rfc-editor.org/rfc/rfc9114.html#name-connection-reuse)**, which will expose everyone with a front-end that uses first-request routing and has a certificate valid for multiple hosts**.
|
||||
|
||||
This also creates a second risk which isn't related to first-request routing - it means a **compromised server with a wildcard certificate no longer requires an MITM to exploit**. In effect, this greatly increases the pool of malicious actors who could profit from it.
|
||||
|
||||
To avoid these risks before they become a reality, ensure your reverse proxies don't perform first-request routing. You can test for this manually in Repeater by enabling HTTP/1 and HTTP/2 connection reuse, and also scan for it using the 'Connection-State' attack in [HTTP Request Smuggler](https://github.com/PortSwigger/http-request-smuggler). Also, be aware that while wildcard TLS certificates have never been ideal, HTTP/3 means a compromised server with a wildcard certificate can now be used to attack sibling domains without an active MITM.
|
||||
|
||||
These new threats continue the ongoing trend of web infrastructure descending into a heavily intertwined mess where a weakness in any individual site has numerous non-obvious knock-on effects on the security of the overall system. It'll be interesting to see how these risks play out in practice.
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||||
|
||||
|
|