5.5 KiB
hop-by-hop headers
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
This is a summary of the post https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers
Hop-by-hop headers are specific to a single transport-level connection, used primarily in HTTP/1.1 for managing data between two nodes (like client-proxy or proxy-proxy), and are not meant to be forwarded. Standard hop-by-hop headers include Keep-Alive
, Transfer-Encoding
, TE
, Connection
, Trailer
, Upgrade
, Proxy-Authorization
, and Proxy-Authenticate
, as defined in RFC 2616. Additional headers can be designated as hop-by-hop via the Connection
header.
Abusing Hop-by-Hop Headers
Improper management of hop-by-hop headers by proxies can lead to security issues. While proxies are expected to remove these headers, not all do, creating potential vulnerabilities.
Testing for Hop-by-Hop Header Handling
The handling of hop-by-hop headers can be tested by observing changes in server responses when specific headers are marked as hop-by-hop. Tools and scripts can automate this process, identifying how proxies manage these headers and potentially uncovering misconfigurations or proxy behaviors.
Abusing hop-by-hop headers can lead to various security implications. Below are a couple of examples demonstrating how these headers can be manipulated for potential attacks:
Bypassing Security Controls with X-Forwarded-For
An attacker can manipulate the X-Forwarded-For
header to bypass IP-based access controls. This header is often used by proxies to track the originating IP address of a client. However, if a proxy treats this header as hop-by-hop and forwards it without proper validation, an attacker can spoof their IP address.
Attack Scenario:
- The attacker sends an HTTP request to a web application behind a proxy, including a fake IP address in the
X-Forwarded-For
header. - The attacker also includes the
Connection: close, X-Forwarded-For
header, prompting the proxy to treatX-Forwarded-For
as hop-by-hop. - The misconfigured proxy forwards the request to the web application without the spoofed
X-Forwarded-For
header. - The web application, not seeing the original
X-Forwarded-For
header, might consider the request as coming directly from a trusted proxy, potentially allowing unauthorized access.
Cache Poisoning via Hop-by-Hop Header Injection
If a cache server incorrectly caches content based on hop-by-hop headers, an attacker could inject malicious headers to poison the cache. This would serve incorrect or malicious content to users requesting the same resource.
Attack Scenario:
- An attacker sends a request to a web application with a hop-by-hop header that should not be cached (e.g.,
Connection: close, Cookie
). - The poorly configured cache server does not remove the hop-by-hop header and caches the response specific to the attacker's session.
- Future users requesting the same resource receive the cached response, which was tailored for the attacker, potentially leading to session hijacking or exposure of sensitive information.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.