3.5 KiB
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
CONNECT method
In the Go programming language, a common practice when handling HTTP requests, specifically using the net/http library, is the automatic conversion of the request path into a standardized format. This process involves:
- Paths ending with a slash (
/) like/flag/are redirected to their non-slash counterpart,/flag. - Paths containing directory traversal sequences such as
/../flagare simplified and redirected to/flag. - Paths with a trailing period as in
/flag/.are also redirected to the clean path/flag.
However, an exception is observed with the use of the CONNECT method. Unlike other HTTP methods, CONNECT does not trigger the path normalization process. This behavior opens a potential avenue for accessing protected resources. By employing the CONNECT method alongside the --path-as-is option in curl, one can bypass the standard path normalization and potentially reach restricted areas.
The following command demonstrates how to exploit this behavior:
curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.