search
githubEdit

HTTP Connection Request Smuggling

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

This is a summary of the post https://portswigger.net/research/browser-powered-desync-attacksarrow-up-right

hashtag
Connection State Attacks

hashtag
First-request Validation

When routing requests, reverse proxies might depend on the Host header to determine the destination back-end server, often relying on a whitelist of hosts that are permitted access. However, a vulnerability exists in some proxies where the whitelist is only enforced on the initial request in a connection. Consequently, attackers could exploit this by first making a request to an allowed host and then requesting an internal site through the same connection:

GET / HTTP/1.1
Host: [allowed-external-host]

GET / HTTP/1.1
Host: [internal-host]

hashtag
First-request Routing

In some configurations, a front-end server may use the Host header of the first request to determine the back-end routing for that request, and then persistently route all subsequent requests from the same client connection to the same back-end connection. This can be demonstrated as:

This issue can potentially be combined with Host header attacksarrow-up-right, such as password reset poisoning or web cache poisoningarrow-up-right, to exploit other vulnerabilities or gain unauthorized access to additional virtual hosts.

circle-info

To identify these vulnerabilities, the 'connection-state probe' feature in HTTP Request Smuggler can be utilized.

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousHTTP Connection ContaminationNextHTTP Request Smuggling / HTTP Desync Attack

Last updated