hacktricks/pentesting-web/http-connection-request-smuggling.md
2022-12-05 23:29:21 +01:00

4.3 KiB

HTTP Connection Request Smuggling

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

Connection state attacks

First-request validation

Reverse proxies often use the Host header to identify which back-end server to route each request to, and have a whitelist of hosts that people are allowed to access.

However, some proxies only apply this whitelist to the first request sent over a given connection. This means attackers can gain access to internal websites by issuing a request to an allowed destination, followed by one for the internal site down the same connection:

GET / HTTP/1.1
Host: redacted

GET / HTTP/1.1
Host: intranet.redacted

Mercifully, this mistake is quite rare.

First-request routing

First-request routing occurs when the front-end uses the first request's Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.

GET / HTTP/1.1
Host: example.com

POST /pwreset HTTP/1.1
Host: psres.net

This could be chained with Host header attacks like password reset poisoning, web cache poisoning, and gaining access to other virtual hosts.

{% hint style="info" %} You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler. {% endhint %}

References

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥