hacktricks/network-services-pentesting/pentesting-web/golang.md
Carlos Polop d1647fc7c2 b
2024-07-19 11:06:54 +02:00

3.5 KiB

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

CONNECT method

In the Go programming language, a common practice when handling HTTP requests, specifically using the net/http library, is the automatic conversion of the request path into a standardized format. This process involves:

  • Paths ending with a slash (/) like /flag/ are redirected to their non-slash counterpart, /flag.
  • Paths containing directory traversal sequences such as /../flag are simplified and redirected to /flag.
  • Paths with a trailing period as in /flag/. are also redirected to the clean path /flag.

However, an exception is observed with the use of the CONNECT method. Unlike other HTTP methods, CONNECT does not trigger the path normalization process. This behavior opens a potential avenue for accessing protected resources. By employing the CONNECT method alongside the --path-as-is option in curl, one can bypass the standard path normalization and potentially reach restricted areas.

The following command demonstrates how to exploit this behavior:

curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag

https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go#L2354-L2364

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}