HTTP Connection Request Smuggling
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
This is a summary of the post
When routing requests, reverse proxies might depend on the Host header to determine the destination back-end server, often relying on a whitelist of hosts that are permitted access. However, a vulnerability exists in some proxies where the whitelist is only enforced on the initial request in a connection. Consequently, attackers could exploit this by first making a request to an allowed host and then requesting an internal site through the same connection:
In some configurations, a front-end server may use the Host header of the first request to determine the back-end routing for that request, and then persistently route all subsequent requests from the same client connection to the same back-end connection. This can be demonstrated as:
This issue can potentially be combined with , such as password reset poisoning or , to exploit other vulnerabilities or gain unauthorized access to additional virtual hosts.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.