Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/http-connection-request-smuggling.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

4.8 KiB
Raw Permalink Blame History

HTTP Connection Request Smuggling

htARTE (HackTricks AWS Red Team Expert) DaH jImej (HackTricks AWS Red Team Expert)!
  • Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
  • Discover The PEASS Family, our collection of exclusive NFTs
  • Get the official PEASS & HackTricks swag
  • Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
  • Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

This is a summary of the post https://portswigger.net/research/browser-powered-desync-attacks

Connection State Attacks

First-request Validation

When routing requests, reverse proxies might depend on the Host header to determine the destination back-end server, often relying on a whitelist of hosts that are permitted access. However, a vulnerability exists in some proxies where the whitelist is only enforced on the initial request in a connection. Consequently, attackers could exploit this by first making a request to an allowed host and then requesting an internal site through the same connection:

GET / HTTP/1.1
Host: [allowed-external-host]

GET / HTTP/1.1
Host: [internal-host]

vItlhutlh: Qapla'! vItlhutlh vulnerability vItlhutlh wIDaq.

cha'logh-request Routing

cha'logh-request Routing vItlhutlh Host header first request back-end routing Dochvam vItlhutlh request, persistently route subsequent requests client connection back-end connection. vItlhutlh Demonstrate vItlhutlh:

POST / HTTP/1.1
Host: www.example.com
Content-Length: 10

Hello World

In this example, the front-end server uses the Host header of the first request (www.example.com) to determine the back-end routing. Subsequent requests from the same client connection will be persistently routed to the same back-end connection.

Splitting the First Request

To exploit this vulnerability, an attacker can send a malformed request that includes two Content-Length headers. The first Content-Length header should be set to a value that will cause the back-end server to wait for more data, while the second Content-Length header should be set to a smaller value that will cause the front-end server to process the request.

POST / HTTP/1.1
Host: www.example.com
Content-Length: 100
Content-Length: 10

Hello World

In this example, the first Content-Length header (100) causes the back-end server to wait for more data, while the second Content-Length header (10) causes the front-end server to process the request. This can lead to request smuggling.

Impact

The impact of this vulnerability can vary depending on the specific configuration and behavior of the front-end and back-end servers. In some cases, it may allow an attacker to bypass security controls, access unauthorized resources, or perform other malicious actions.

Remediation

To mitigate this vulnerability, it is recommended to:

  • Ensure that the front-end server properly handles and parses HTTP requests, including handling multiple Content-Length headers.
  • Implement strict input validation and sanitization to prevent the injection of malicious headers or payloads.
  • Regularly update and patch the software and libraries used by the front-end and back-end servers to address any known vulnerabilities.
  • Monitor and analyze network traffic for any signs of request smuggling or other suspicious activity.
GET / HTTP/1.1
Host: example.com

POST /pwreset HTTP/1.1
Host: psres.net

{code} vaj vItlhutlh Host header attacks vItlhutlh, 'ej password reset poisoning be'nal web cache poisoning vItlhutlh, 'ej DaH jatlhqa' vulnerabilities 'ej unauthorized access to additional virtual hosts ghaH exploit.

{% hint style="info" %} HTTP Request Smuggler vItlhutlh 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej '