Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/http-connection-request-smuggling.md

61 lines
3.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# HTTP Connection Request Smuggling
{% hint style="success" %}
学习与实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>支持 HackTricks</summary>
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。
</details>
{% endhint %}
**这是对帖子** [**https://portswigger.net/research/browser-powered-desync-attacks**](https://portswigger.net/research/browser-powered-desync-attacks) **的总结**
## 连接状态攻击 <a href="#state" id="state"></a>
### 首次请求验证
在路由请求时,反向代理可能依赖于 **Host header** 来确定目标后端服务器,通常依赖于允许访问的主机白名单。然而,一些代理存在漏洞,白名单仅在连接的初始请求中强制执行。因此,攻击者可以通过首先向允许的主机发出请求,然后通过同一连接请求内部站点来利用这一点:
```
GET / HTTP/1.1
Host: [allowed-external-host]
GET / HTTP/1.1
Host: [internal-host]
```
### First-request Routing
在某些配置中,前端服务器可能会使用**第一个请求的Host头**来确定该请求的后端路由,然后将来自同一客户端连接的所有后续请求持久性地路由到相同的后端连接。这可以表示为:
```
GET / HTTP/1.1
Host: example.com
POST /pwreset HTTP/1.1
Host: psres.net
```
这个问题可以与[Host header attacks](https://portswigger.net/web-security/host-header)结合,例如密码重置中毒或[web cache poisoning](https://portswigger.net/web-security/web-cache-poisoning),以利用其他漏洞或获得对其他虚拟主机的未经授权访问。
{% hint style="info" %}
要识别这些漏洞可以利用HTTP Request Smuggler中的“connection-state probe”功能。
{% endhint %}
{% hint style="success" %}
学习与实践AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
学习与实践GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>支持HackTricks</summary>
* 查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**telegram群组**](https://t.me/peass)或**关注**我们的**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github库提交PR来分享黑客技巧。
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink