hop-by-hop headers

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

This is a summary of the post https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

Hop-by-hop headers are specific to a single transport-level connection, used primarily in HTTP/1.1 for managing data between two nodes (like client-proxy or proxy-proxy), and are not meant to be forwarded. Standard hop-by-hop headers include Keep-Alive, Transfer-Encoding, TE, Connection, Trailer, Upgrade, Proxy-Authorization, and Proxy-Authenticate, as defined in RFC 2616. Additional headers can be designated as hop-by-hop via the Connection header.

Abusing Hop-by-Hop Headers

Improper management of hop-by-hop headers by proxies can lead to security issues. While proxies are expected to remove these headers, not all do, creating potential vulnerabilities.

Testing for Hop-by-Hop Header Handling

The handling of hop-by-hop headers can be tested by observing changes in server responses when specific headers are marked as hop-by-hop. Tools and scripts can automate this process, identifying how proxies manage these headers and potentially uncovering misconfigurations or proxy behaviors.

Abusing hop-by-hop headers can lead to various security implications. Below are a couple of examples demonstrating how these headers can be manipulated for potential attacks:

Bypassing Security Controls with `X-Forwarded-For`

An attacker can manipulate the X-Forwarded-For header to bypass IP-based access controls. This header is often used by proxies to track the originating IP address of a client. However, if a proxy treats this header as hop-by-hop and forwards it without proper validation, an attacker can spoof their IP address.

Attack Scenario:

The attacker sends an HTTP request to a web application behind a proxy, including a fake IP address in the X-Forwarded-For header.
The attacker also includes the Connection: close, X-Forwarded-For header, prompting the proxy to treat X-Forwarded-For as hop-by-hop.
The misconfigured proxy forwards the request to the web application without the spoofed X-Forwarded-For header.
The web application, not seeing the original X-Forwarded-For header, might consider the request as coming directly from a trusted proxy, potentially allowing unauthorized access.

Cache Poisoning via Hop-by-Hop Header Injection

If a cache server incorrectly caches content based on hop-by-hop headers, an attacker could inject malicious headers to poison the cache. This would serve incorrect or malicious content to users requesting the same resource.