GitBook: [#2829] update

2024-11-15 01:17:36 +00:00 · 2021-11-06 01:29:12 +00:00 · 2021-11-06 01:29:12 +00:00 · 6e1294c67c
commit 6e1294c67c
parent 6eca472f9e
9 changed files with 27 additions and 1 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/pentesting-web/http-request-smuggling/README.md
+++ b/pentesting-web/http-request-smuggling/README.md
@ -519,3 +519,4 @@ def handleResponse(req, interesting):
 * [https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4](https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4)
 * [https://github.com/haroonawanofficial/HTTP-Desync-Attack/](https://github.com/haroonawanofficial/HTTP-Desync-Attack/)
 * [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html)
+* [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/)
--- a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
+++ b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
@ -54,6 +54,16 @@ In this case the injection was performed inside the request line:

 ![](<../../.gitbook/assets/image (640).png>)

+### URL Prefix Injection
+
+Inside the scheme of the HTTP/2 connection you might be able to send a full URL that will overwrite the one indicated in the path:
+
+![](<../../.gitbook/assets/image (661).png>)
+
+### Request Line Injection via spaces
+
+![](<../../.gitbook/assets/image (641).png>)
+
 ## Frontend->backend connection reuse

 Sometimes you will find that preforming a HTTP Request Smuggling attack **you can only attack yourself**. This could be because the reverse proxy has decided to **use a different connection with the back-end** server per IP.
@ -103,3 +113,18 @@ In this scenario a **HEAD** request to the **URL** **whose** **cache** is going
 Due to the fact the the **HEAD response contains the `Content-Type: text/html`** and because the reverse proxy thinks that the **whole response to the smuggled request is the body of the HEAD** request, the **XSS payload** is going to be **treated as HTML** even if the page wasn't vulnerable to XSS.

 ![](<../../.gitbook/assets/image (659).png>)
+
+## Hidden HTTP/2
+
+Usually servers advertise the support via ALPN field in TLS handshake, but some doesn't.
+
+It can be easily detected using `curl --http2 --http2-prior-knowledge`
+
+## Tools
+
+* Burp extension: HTTP Request Smuggler
+* [https://github.com/neex/http2smugl](https://github.com/neex/http2smugl)
+
+## References
+
+* This talk explains perfectly all the techniques indicated here: [https://www.youtube.com/watch?v=rHxVVeM9R-M](https://www.youtube.com/watch?v=rHxVVeM9R-M)
--- a/pentesting-web/http-response-smuggling-desync.md
+++ b/pentesting-web/http-response-smuggling-desync.md
@ -116,7 +116,7 @@ He will send a **exploit** like:

 After the first request is resolved and sent back to the attacker, the **victims request is added into the queue**:

-![](<../.gitbook/assets/image (661).png>)
+![](<../.gitbook/assets/image (661) (1).png>)

 The victim will receive as response the **HEAD response + the content of the second request response (containing part of the reflected data):**