Practical Web Security testing of HTTP truncated smuggling vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201026600
Type myhack58
Reporter 佚名
Modified 2010-03-31T00:00:00


In this article, we will detailed to introduce the reader for the HTTP truncated and HTTP smuggling attack security testing techniques. We will by example demonstrate how to use the HTTP Protocol, certain properties, or the use of Web application weaknesses, or different proxy for HTTP message of the explanation is also not the same characteristics to launch the two attacks.

A, HTTP truncated/smuggling vulnerability overview

Herein contained, we will analyze for the specific HTTP header of the two different attack techniques: HTTP truncated and HTTP smuggling attack. For HTTP the truncation attack is concerned, it is the use of a lack of input sanitizing measures of vulnerability, the vulnerability allows the intruder to the application program in response to the head of the Insert CR and LF characters, so that the response is divided into two different HTTP messages. The attack target is different from the cache poisoning, it is distinguished from cross-site scripting attacks. For the second attack method, the attacker takes advantage of the fact that some specially crafted HTTP messages can be with receiving their proxy differently, and make different analysis and interpretation. HTTP smuggling of the technical requirements for processing HTTP messages of the various agents are quite familiar with, otherwise it is impossible to launch such an attack.

Below we describe these vulnerabilities black box testing and gray box testing techniques.

Second, HTTP truncation attack black-box testing

Some web applications use part of the user input to generate their response a head of some value, the most simple example is the redirect, because the target URL is dependent on user-submitted some values. For example, if the user is required in the standard web interface and advanced web interface to choose between, and then, the result of the selection will be passed as a parameter, and this parameter will be used to trigger a redirect to the corresponding page in the response header. More precisely, if the parameter interface value is advanced, then the application will respond to the following:

Upon receipt of this message, the browser will bring the user towards the Location of the head specified page. However, if the application is not the user input is filtered, the attacker can be in the parameter interface in the insertion sequence%0d%0a while the sequence is representative of the then be used to split each row of CRLF(carriage return line feed)sequence. As a result, the attacker will be able to trigger a response, it is important that any parser(for example, between the user and the Web application between a web cache)will put this response will be interpreted as two different responses. So, the attacker can By to this web-cache“poisoning”to make it to subsequent requests to provide false content. For example, in our previous example, assume that the attacker will be the following content as a parameter interface for transfer:

From vulnerability exists insoftware(that is, no user input is strict disinfection applications)in the resulting response will be the following:

The Web cache will see two different responses, so if an attacker sends the first request is sent immediately after the/index. the html page is requested, the web cache will consider the request and second response match, and cache its content, 这样一来后面经由web缓存的所有指向的请求都会收到系统故障消息 that“system down”. In this way, an attacker will be able to effectively alter the site in using a web cache the user in mind the image, if the web cache is the Web application of a reverse proxy, then the Web application in the whole Internet user will be affected. In addition, the attacker can also send these users to transfer launch cross-site scripting attacks in JavaScript code snippet, for example to steal cookies. Note that, although thesecurityvulnerability in the application, but the attack against the object it is using the application users.

Therefore, in order to find this security vulnerability, penetration testers need to identify all can affect the response of the one or more head of user input, and checks whether the user which can inject a CR+LF sequence. With this attack the closest relationship of the two heads is:

Location? Set-Cookie

Note that, in reality, to successfully take advantage of this security vulnerability could be a very complicated thing, because there are a variety of factors must be taken into account:

  1. Attacker to forge a response to be cached, you must set the correct one of each head, for example Last-Modified header value must be set to a future time. In addition, the attacker must also destroy the target page previously cached version of that method is to submit a request header with a“Pragma: no-cache”in the preamble of the request to prevent the page being cached.

2. Even if the app is not filtering the CR+LF sequence, but may still be filtered out to launch the attack required of the other characters, for example characters<and>etc. This time, the attacker can try to use other encoding, for example UTF-7 encoding.

3. Some targets(e.g., ASP)will be the Location of the head(例如 )in the path portion of the URL encoding process, thus making the CRLF sequence does not play a role. However, they are not part of the query(for example? interface=advanced)performing such encoding process, which means placing a leading question mark it is possible to bypass this filtering technology.

Third, HTTP truncation attack gray box testing

For a Web application that targets the in-depth knowledge in the engine HTTP truncation attacks is extremely helpful. For example, different targets may use different methods to determine the first HTTP message in the When to terminate, the second HTTP message from when it started. Of course, sometimes you can use a message boundary to be determined, as in the above example that's it. However, other targets may use a different data packets to carry different messages. In addition, some of the objectives will be for each message to allocate the specified chunk number, in this case, the second message must be from the specific start of the block, this requires the attacker in between two messages fill the necessary blocks. However, when a URL is sent with the weakness of the arguments when to do so might cause some trouble, because the long URL is likely to be truncated or filtered out. Gray box testing can help an attacker to find a workaround: some of the appServerallows the use of POST instead of GET to send the request.

Fourth, HTTP smuggling attack gray box testing

Before speaking, HTTP smuggling attacks using the vulnerability is, some of the carefully constructed HTTP message will vary with different agents(browsers, web caches, applicationfirewall)to do different interpretations. This attack method is by Chaim Linhart, the Amit Klein, Ronen Heled and Steve Orrin in 2 0 0 5 years find. This attack has multiple uses, we here only introduce the most ridiculous one: to bypass the application firewall.

In the following, we detail the use of HTTP smuggling attack to bypass the application firewall of the detailed method. There are manyapplication firewallcan be based on some known embedded request to the malicious patterns to detect and block malicious web requests. For example, for IISserverof the Unicode directory traversal attack possible through the submission of a similar one shown below of a request to launch the attack:

Of course, by checking the URL whether there is a similar“..”and“cmd.exe”the string can easily detect and filter out such attacks. However, IIS 5.0 for the POST request body length is required, up to 48K bytes--when the Content-Type header is different from application/x-www-form-urlencoded when this limit is exceeded the part will be completely truncated. An attacker can use this fact to create a big request:

Here, Request #1 is made of a 4 9 2 2 3-byte content of the composition, so Request #1 also contains a Request #2 a few lines of content. Therefore, the firewall(or any other proxy)will see Request #1, but was unable to see Request #2(its data is just the#1 part of the request), you can see Request #3 but miss Request #4(because the POST is just a fake header xxxx). Now, IIS 5.0 what happens? It will be in 4 9 1 5 2 bytes of useless information after the stop Request #1 of the analysis, because it has reached the 48K=4 9 1 5 2-byte limit, and the Request #2 parse for a new, separate request. Request #2 claims that its content is 3 3 bytes, including the xxxx :before all of the content, which makes the IIS miss Request #3, because Request #3 is interpreted as Request #2 part, but IIS will recognize the Request #4, because it's POST is from the Request #2 Section 3 3 bytes after the start. Of course, it looks somewhat complex, but very good explanation of why the attack URL will not be firewall is found, it can be IIS the correct parsing and execution.

In the above case, although we use that the webserverin thesecurityvulnerabilities, but in other cases, we can through the use of various support HTTP device in parsing is not compatible with 1 0 0 5 RFC message when it is taken in different ways to attack. For example, the HTTP Protocol allows only one Content-Length header, but does not specify how to deal with two Content-Length header of the message. Some implementations will use the first, while others implement the use of a second, in which case it is vulnerable to HTTP smuggling attacks. Another example is the GET message Content-Length header to use.

Five, summary

In this article, we detailed to introduce the reader for the HTTP truncated and HTTP smuggling attackssecuritytesting techniques. We through the example demonstrates how to use the HTTP Protocol, certain properties, or the use of Web application weaknesses, or different proxy for HTTP message of the explanation is also not the same characteristics to launch the two attacks. Hope this article for the readers of the secure test work.