SlideShare uma empresa Scribd logo

Http smuggling 1 200523064027

n|u - The Open Security Community
n|u - The Open Security Community

Http smuggling 1 200523064027

Educação
1 de 18
Baixar para ler offline
WHAT IS HTTP REQUEST SMUGGLING? ▪ Whenever HTTP requests originating from a client pass through more than one entity that parses them, there is a good chance that these entities are vulnerable to HRS. ▪ HRS sends multiple, specially crafted HTTP requests that cause the two attacked devices to see different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it. 1
#Causes ▪ HTTP Connection Mod ▪ Message Body 2
HTTP Connection Mod ▪ In the protocol design before HTTP1.0, every time a client makes an HTTP request, it needs to establish a TCP connection with the server. Modern web site pages are composed of multiple resources. We need to obtain the content of a web page, not only request HTML documents, but also various resources such as JS, CSS, and images. , It will cause the load overhead of the HTTP server to increase. So in HTTP1.1, Keep-Alive and Pipeline were added. 3
Keep-Alive ▪ Keep-Alive is used by default in HTTP/1.1, allowing multiple requests and responses to be hosted on a single connection. ▪ The so-called Keep-Alive, is to add a special request header Connection: Keep-Alive in the HTTP request, tell the server, after receiving this HTTP request, do not close the TCP link, followed by the same target server HTTP Request, reuse this TCP link, so only need to perform a TCP handshake process, which can reduce server overhead, save resources, and speed up access. Of course, this feature is enabled by default in HTTP1.1. 4
Pipline ▪ With Keep-Alive, there will be a Pipeline, and the client can send its own HTTP request like a pipeline without waiting for the response from the server. After receiving the request, the server needs to follow the first-in first-out mechanism, strictly correlate the request and response, and then send the response to the client. ▪ Nowadays, the browser does not enable Pipeline by default, but the general server provides support for Pipleline. 5
Transfer Encoding ▪ Here we mainly focus on chunked, a transmission encoding method, which is not mentioned for the first time in a network attack. It also used in bypassing WAF frequently. ▪ The chunked transfer coding wraps the payload body in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing header fields. Chunked enables content streams of unknown size to be transferred as a sequence of length-delimited buffers, which enables the sender to retain connection persistence and the recipient to know when it has received 6
Cont.: Transfer Encoding 7
Attack Method ▪ We know that both Content-Length and Transfer-Encoding can be used as a way to process the body during POST data transmission. In order to facilitate reading and writing, we have the following shorthand rules for field processing priority rules: ▫ CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer- Encoding header. ▫ TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content- Length header. 8
CL-TE ▪ In the next few attack methods, we can use some Labs provided by @portswigger to practice for us to deepen our understanding. Labs-HTTP request smuggling. ▪ Remember to cancel BurpSuite’s automatic update Content- Length function before doing it. ▪ This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method. 9
Cont. 10
11 POST / HTTP/1.1 Host: ac8f1fae1e6cd77b8073213100b500d6.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 6 Transfer-Encoding: chunked 0 G
12
13
TE-CL ▪ Next we look at the situation of TE-CL. Similarly, we use LAB experiments to deepen our understanding.:Lab: HTTP request smuggling, basic TE.CL vulnerability ▪ This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method. ▪ To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST. 14
Contd. 15 POST / HTTP/1.1 Host: acde1ffc1f047f9f8007186200ff00fe.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 12 GPOST / HTTP/1.1 0
Contd. ▪ It should be noted here that at the end you need to add two CRLFs to construct chunk data. 16 0rn rn
Contd. 17
Practical Time Let’s Go! 18

Recomendados

Introduction to HTTP - Hypertext Transfer Protocol
Introduction to HTTP - Hypertext Transfer ProtocolIntroduction to HTTP - Hypertext Transfer Protocol
Introduction to HTTP - Hypertext Transfer ProtocolSantiago Basulto
 
HTTP
HTTPHTTP
HTTPanwitat
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)johnny19910916
 
Http basics by-joshi_29_4_15-ppt
Http basics by-joshi_29_4_15-pptHttp basics by-joshi_29_4_15-ppt
Http basics by-joshi_29_4_15-pptQwinix Technologies
 
HTTP Protocol Basic
HTTP Protocol BasicHTTP Protocol Basic
HTTP Protocol BasicChuong Mai
 
Hypertext Transfer Protocol
Hypertext Transfer ProtocolHypertext Transfer Protocol
Hypertext Transfer Protocolselvakumar_b1985
 
HTTP/2
HTTP/2HTTP/2
HTTP/2Ashish Padalkar
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?Mark Nottingham
 

Recomendados

Introduction to HTTP - Hypertext Transfer Protocol
Introduction to HTTP - Hypertext Transfer ProtocolIntroduction to HTTP - Hypertext Transfer Protocol
Introduction to HTTP - Hypertext Transfer ProtocolSantiago Basulto
 
HTTP
HTTPHTTP
HTTPanwitat
 
Hypertext transfer protocol (http)
Hypertext transfer protocol (http)Hypertext transfer protocol (http)
Hypertext transfer protocol (http)johnny19910916
 
Http basics by-joshi_29_4_15-ppt
Http basics by-joshi_29_4_15-pptHttp basics by-joshi_29_4_15-ppt
Http basics by-joshi_29_4_15-pptQwinix Technologies
 
HTTP Protocol Basic
HTTP Protocol BasicHTTP Protocol Basic
HTTP Protocol BasicChuong Mai
 
Hypertext Transfer Protocol
Hypertext Transfer ProtocolHypertext Transfer Protocol
Hypertext Transfer Protocolselvakumar_b1985
 
HTTP/2
HTTP/2HTTP/2
HTTP/2Ashish Padalkar
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?Mark Nottingham
 
21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboardsDenis Ristic
 
HTTP Presentation
HTTP Presentation HTTP Presentation
HTTP Presentation Lana Dujanovic
 
HTTP
HTTPHTTP
HTTPaltaykarakus
 
Http protocol
Http protocolHttp protocol
Http protocolArpita Naik
 
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...rahul kundu
 
HyperText Transfer Protocol
HyperText Transfer ProtocolHyperText Transfer Protocol
HyperText Transfer Protocolponduse
 
Http
HttpHttp
HttpNITT, KAMK
 
Http-protocol
Http-protocolHttp-protocol
Http-protocolToushik Paul
 
HTTP
HTTPHTTP
HTTPDaniel Kummer
 
Http2
Http2Http2
Http2Islam Gamal
 
Introduction to HTTP2
Introduction to HTTP2Introduction to HTTP2
Introduction to HTTP2Sudarshan Pant
 
Caching in HTTP
Caching in HTTPCaching in HTTP
Caching in HTTPAlexander Shopov
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basicssanjoysanyal
 
Http Introduction
Http IntroductionHttp Introduction
Http IntroductionAkshay Dhole
 
Caching Techniquesfor Content Delivery
Caching Techniquesfor Content DeliveryCaching Techniquesfor Content Delivery
Caching Techniquesfor Content Deliverysanjoysanyal
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)Gurjot Singh
 
Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)maamir farooq
 
HTTP
HTTPHTTP
HTTPvaibhavrai1993
 
Introducing HTTP/2
Introducing HTTP/2Introducing HTTP/2
Introducing HTTP/2Ido Flatow
 
Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Nidhitransport
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptxAbshar Fatima
 
Java EE 8: What Servlet 4.0 and HTTP/2 mean to you
Java EE 8: What Servlet 4.0 and HTTP/2 mean to youJava EE 8: What Servlet 4.0 and HTTP/2 mean to you
Java EE 8: What Servlet 4.0 and HTTP/2 mean to youAlex Theedom
 

Mais conteúdo relacionado

Mais procurados

21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboardsDenis Ristic
 
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...rahul kundu
 
HyperText Transfer Protocol
HyperText Transfer ProtocolHyperText Transfer Protocol
HyperText Transfer Protocolponduse
 
Caching Techniquesfor Content Delivery
Caching Techniquesfor Content DeliveryCaching Techniquesfor Content Delivery
Caching Techniquesfor Content Deliverysanjoysanyal
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)Gurjot Singh
 
Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)maamir farooq
 
Introducing HTTP/2
Introducing HTTP/2Introducing HTTP/2
Introducing HTTP/2Ido Flatow
 

Mais procurados (19)

21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards
 
HTTP Presentation
HTTP Presentation HTTP Presentation
HTTP Presentation
 
HTTP
HTTPHTTP
HTTP
 
Http protocol
Http protocolHttp protocol
Http protocol
 
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
Hypertext transfer protocol and hypertext transfer protocol secure(HTTP and H...
 
HyperText Transfer Protocol
HyperText Transfer ProtocolHyperText Transfer Protocol
HyperText Transfer Protocol
 
Http
HttpHttp
Http
 
Http-protocol
Http-protocolHttp-protocol
Http-protocol
 
HTTP
HTTPHTTP
HTTP
 
Http2
Http2Http2
Http2
 
Introduction to HTTP2
Introduction to HTTP2Introduction to HTTP2
Introduction to HTTP2
 
Caching in HTTP
Caching in HTTPCaching in HTTP
Caching in HTTP
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Http Introduction
Http IntroductionHttp Introduction
Http Introduction
 
Caching Techniquesfor Content Delivery
Caching Techniquesfor Content DeliveryCaching Techniquesfor Content Delivery
Caching Techniquesfor Content Delivery
 
HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)HyperText Transfer Protocol (HTTP)
HyperText Transfer Protocol (HTTP)
 
Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)
 
HTTP
HTTPHTTP
HTTP
 
Introducing HTTP/2
Introducing HTTP/2Introducing HTTP/2
Introducing HTTP/2
 

Semelhante a Http smuggling 1 200523064027

Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Nidhitransport
 
Java EE 8: What Servlet 4.0 and HTTP/2 mean to you
Java EE 8: What Servlet 4.0 and HTTP/2 mean to youJava EE 8: What Servlet 4.0 and HTTP/2 mean to you
Java EE 8: What Servlet 4.0 and HTTP/2 mean to youAlex Theedom
 
11 - ftp & web.ppt
11 - ftp & web.ppt11 - ftp & web.ppt
11 - ftp & web.pptssuserf7cd2b
 
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocolsDaniel Austin
 
A New Internet? Introduction to HTTP/2, QUIC and DOH
A New Internet? Introduction to HTTP/2, QUIC and DOHA New Internet? Introduction to HTTP/2, QUIC and DOH
A New Internet? Introduction to HTTP/2, QUIC and DOHAPNIC
 
Taking a Quantum Leap with Html 5 WebSocket
Taking a Quantum Leap with Html 5 WebSocketTaking a Quantum Leap with Html 5 WebSocket
Taking a Quantum Leap with Html 5 WebSocketShahriar Hyder
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guideSrihari
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocolsFabMinds
 
Java EE 8: What Servlet 4 and HTTP2 Mean
Java EE 8: What Servlet 4 and HTTP2 MeanJava EE 8: What Servlet 4 and HTTP2 Mean
Java EE 8: What Servlet 4 and HTTP2 MeanAlex Theedom
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
A SPDYier Experience by Olaniyi Jinadu
A SPDYier Experience by Olaniyi JinaduA SPDYier Experience by Olaniyi Jinadu
A SPDYier Experience by Olaniyi JinaduOlaniyi Jinadu
 
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUICA new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUICAPNIC
 
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long PollingDifference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long Pollingjeetendra mandal
 

Semelhante a Http smuggling 1 200523064027 (20)

Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02Hypertexttransferprotocolhttp 131012171813-phpapp02
Hypertexttransferprotocolhttp 131012171813-phpapp02
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
 
Java EE 8: What Servlet 4.0 and HTTP/2 mean to you
Java EE 8: What Servlet 4.0 and HTTP/2 mean to youJava EE 8: What Servlet 4.0 and HTTP/2 mean to you
Java EE 8: What Servlet 4.0 and HTTP/2 mean to you
 
11 - ftp & web.ppt
11 - ftp & web.ppt11 - ftp & web.ppt
11 - ftp & web.ppt
 
Http/2
Http/2Http/2
Http/2
 
Next generation web protocols
Next generation web protocolsNext generation web protocols
Next generation web protocols
 
HTTP
HTTPHTTP
HTTP
 
Compute rNetwork.pptx
Compute rNetwork.pptxCompute rNetwork.pptx
Compute rNetwork.pptx
 
A New Internet? Introduction to HTTP/2, QUIC and DOH
A New Internet? Introduction to HTTP/2, QUIC and DOHA New Internet? Introduction to HTTP/2, QUIC and DOH
A New Internet? Introduction to HTTP/2, QUIC and DOH
 
Taking a Quantum Leap with Html 5 WebSocket
Taking a Quantum Leap with Html 5 WebSocketTaking a Quantum Leap with Html 5 WebSocket
Taking a Quantum Leap with Html 5 WebSocket
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guide
 
Web technology
Web technologyWeb technology
Web technology
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocols
 
Java EE 8: What Servlet 4 and HTTP2 Mean
Java EE 8: What Servlet 4 and HTTP2 MeanJava EE 8: What Servlet 4 and HTTP2 Mean
Java EE 8: What Servlet 4 and HTTP2 Mean
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
A SPDYier Experience by Olaniyi Jinadu
A SPDYier Experience by Olaniyi JinaduA SPDYier Experience by Olaniyi Jinadu
A SPDYier Experience by Olaniyi Jinadu
 
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUICA new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
A new Internet? Intro to HTTP/2, QUIC, DoH and DNS over QUIC
 
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long PollingDifference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
 
Hyper Text Transfer Protocol
Hyper Text Transfer ProtocolHyper Text Transfer Protocol
Hyper Text Transfer Protocol
 
web_01_HTTP.ppt
web_01_HTTP.pptweb_01_HTTP.ppt
web_01_HTTP.ppt
 

Mais de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxruthvilladarez
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxElton John Embodo
 

Último (20)

Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docx
 

Http smuggling 1 200523064027

  • 1. WHAT IS HTTP REQUEST SMUGGLING? ▪ Whenever HTTP requests originating from a client pass through more than one entity that parses them, there is a good chance that these entities are vulnerable to HRS. ▪ HRS sends multiple, specially crafted HTTP requests that cause the two attacked devices to see different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it. 1
  • 2. #Causes ▪ HTTP Connection Mod ▪ Message Body 2
  • 3. HTTP Connection Mod ▪ In the protocol design before HTTP1.0, every time a client makes an HTTP request, it needs to establish a TCP connection with the server. Modern web site pages are composed of multiple resources. We need to obtain the content of a web page, not only request HTML documents, but also various resources such as JS, CSS, and images. , It will cause the load overhead of the HTTP server to increase. So in HTTP1.1, Keep-Alive and Pipeline were added. 3
  • 4. Keep-Alive ▪ Keep-Alive is used by default in HTTP/1.1, allowing multiple requests and responses to be hosted on a single connection. ▪ The so-called Keep-Alive, is to add a special request header Connection: Keep-Alive in the HTTP request, tell the server, after receiving this HTTP request, do not close the TCP link, followed by the same target server HTTP Request, reuse this TCP link, so only need to perform a TCP handshake process, which can reduce server overhead, save resources, and speed up access. Of course, this feature is enabled by default in HTTP1.1. 4
  • 5. Pipline ▪ With Keep-Alive, there will be a Pipeline, and the client can send its own HTTP request like a pipeline without waiting for the response from the server. After receiving the request, the server needs to follow the first-in first-out mechanism, strictly correlate the request and response, and then send the response to the client. ▪ Nowadays, the browser does not enable Pipeline by default, but the general server provides support for Pipleline. 5
  • 6. Transfer Encoding ▪ Here we mainly focus on chunked, a transmission encoding method, which is not mentioned for the first time in a network attack. It also used in bypassing WAF frequently. ▪ The chunked transfer coding wraps the payload body in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing header fields. Chunked enables content streams of unknown size to be transferred as a sequence of length-delimited buffers, which enables the sender to retain connection persistence and the recipient to know when it has received 6
  • 8. Attack Method ▪ We know that both Content-Length and Transfer-Encoding can be used as a way to process the body during POST data transmission. In order to facilitate reading and writing, we have the following shorthand rules for field processing priority rules: ▫ CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer- Encoding header. ▫ TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content- Length header. 8
  • 9. CL-TE ▪ In the next few attack methods, we can use some Labs provided by @portswigger to practice for us to deepen our understanding. Labs-HTTP request smuggling. ▪ Remember to cancel BurpSuite’s automatic update Content- Length function before doing it. ▪ This lab involves a front-end and back-end server, and the front-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method. 9
  • 11. 11 POST / HTTP/1.1 Host: ac8f1fae1e6cd77b8073213100b500d6.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 6 Transfer-Encoding: chunked 0 G
  • 12. 12
  • 13. 13
  • 14. TE-CL ▪ Next we look at the situation of TE-CL. Similarly, we use LAB experiments to deepen our understanding.:Lab: HTTP request smuggling, basic TE.CL vulnerability ▪ This lab involves a front-end and back-end server, and the back-end server doesn’t support chunked encoding. The front-end server rejects requests that aren’t using the GET or POST method. ▪ To solve the lab, smuggle a request to the back-end server, so that the next request processed by the back-end server appears to use the method GPOST. 14
  • 15. Contd. 15 POST / HTTP/1.1 Host: acde1ffc1f047f9f8007186200ff00fe.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 12 GPOST / HTTP/1.1 0
  • 16. Contd. ▪ It should be noted here that at the end you need to add two CRLFs to construct chunk data. 16 0rn rn