Skip to content

Latest commit

 

History

History
69 lines (40 loc) · 3.74 KB

http-connection-request-smuggling.md

File metadata and controls

69 lines (40 loc) · 3.74 KB

HTTP Connection Request Smuggling

Support HackTricks and get benefits!

Connection state attacks

First-request validation

Reverse proxies often use the Host header to identify which back-end server to route each request to, and have a whitelist of hosts that people are allowed to access.

However, some proxies only apply this whitelist to the first request sent over a given connection. This means attackers can gain access to internal websites by issuing a request to an allowed destination, followed by one for the internal site down the same connection:

GET / HTTP/1.1
Host: redacted

GET / HTTP/1.1
Host: intranet.redacted

Mercifully, this mistake is quite rare.

First-request routing

First-request routing occurs when the front-end uses the first request's Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.

GET / HTTP/1.1
Host: example.com

POST /pwreset HTTP/1.1
Host: psres.net

This could be chained with Host header attacks like password reset poisoning, web cache poisoning, and gaining access to other virtual hosts.

{% hint style="info" %} You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler. {% endhint %}

Support HackTricks and get benefits!