GitBook: [#3257] No subject
This commit is contained in:
parent
75382afe29
commit
408e4e76e8
@ -461,7 +461,7 @@
|
||||
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
|
||||
* [Request Smuggling in HTTP/2 Downgrades](pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md)
|
||||
* [HTTP Response Smuggling / Desync](pentesting-web/http-response-smuggling-desync.md)
|
||||
* [H2C Smuggling](pentesting-web/h2c-smuggling.md)
|
||||
* [Upgrade Header Smuggling](pentesting-web/h2c-smuggling.md)
|
||||
* [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
|
||||
* [IDOR](pentesting-web/idor.md)
|
||||
* [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
|
||||
|
@ -233,6 +233,40 @@ The **`internal`** directive is used to make it clear to Nginx that the **locati
|
||||
|
||||
The use of these directives **isn't a vulnerability but you should check how are them configured**.
|
||||
|
||||
## proxy\_set\_header Upgrade & Connection
|
||||
|
||||
If the nginx server is configured to pass the Upgrade and Connection headers an [**h2c Smuggling attack**](../../pentesting-web/h2c-smuggling.md) could be performed to access protected/internal endpoints.
|
||||
|
||||
{% hint style="danger" %}
|
||||
This vulnerability would allow an attacker to **stablish a direct connection with the `proxy_pass` endpoint** (`http://backend:9999` in this case) that whose content is not going to be checked by nginx.
|
||||
{% endhint %}
|
||||
|
||||
Example of vulnerable configuration to steal `/flag` from [here](https://bishopfox.com/blog/h2c-smuggling-request):
|
||||
|
||||
```
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name localhost;
|
||||
|
||||
ssl_certificate /usr/local/nginx/conf/cert.pem;
|
||||
ssl_certificate_key /usr/local/nginx/conf/privkey.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://backend:9999;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
}
|
||||
|
||||
location /flag {
|
||||
deny all;
|
||||
}
|
||||
```
|
||||
|
||||
{% hint style="warning" %}
|
||||
Note that even if the `proxy_pass` was pointing to a specific **path** such as `http://backend:9999/socket.io` the connection will be stablished with `http://backend:9999` so you can **contact any other path inside that internal endpoint. So it doesn't matter if a path is specified in the URL of proxy\_pass.**
|
||||
{% endhint %}
|
||||
|
||||
## Try it yourself
|
||||
|
||||
Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
|
||||
|
@ -1,4 +1,4 @@
|
||||
|
||||
# Upgrade Header Smuggling
|
||||
|
||||
<details>
|
||||
|
||||
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
</details>
|
||||
|
||||
## H2C Smuggling <a href="#http2-over-cleartext-h2c" id="http2-over-cleartext-h2c"></a>
|
||||
|
||||
**This information was taken from** [**https://blog.assetnote.io/2021/03/18/h2c-smuggling/**](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)**, for more information follow the link.**
|
||||
|
||||
# HTTP2 Over Cleartext (H2C) <a href="#http2-over-cleartext-h2c" id="http2-over-cleartext-h2c"></a>
|
||||
### HTTP2 Over Cleartext (H2C) <a href="#http2-over-cleartext-h2c" id="http2-over-cleartext-h2c"></a>
|
||||
|
||||
A normal HTTP connection typically lasts only for the duration of a single request. However, H2C or “**http2 over cleartext”** is where a normal transient http **connection is upgraded to a persistent connection that uses the http2 binary protocol** to communicate continuously instead of for one request using the plaintext http protocol.
|
||||
|
||||
@ -35,13 +34,43 @@ So where is the bug? **When upgrading a connection, the reverse proxy will often
|
||||
|
||||
![](<../.gitbook/assets/image (454).png>)
|
||||
|
||||
# Exploitation <a href="#exploitation" id="exploitation"></a>
|
||||
### Vulnerable Proxies <a href="#exploitation" id="exploitation"></a>
|
||||
|
||||
Note from the explanation of the vulnerability that the proxy server needs to **forward the Upgrade header**, and sometimes the **Connection header** also needs to be successfully forwarded.
|
||||
|
||||
By default, the following services **do** forward **Upgrade** and **Connection headers** during proxy-pass, thereby enabling h2c smuggling out-of-the-box.:
|
||||
|
||||
* HAProxy
|
||||
* Traefik
|
||||
* Nuster
|
||||
|
||||
By default, these services **do not** forward both Upgrade and Connection headers during proxy-pass, but **can be configured in an insecure manner** (by passing unfiltered Upgrade and Connection headers):
|
||||
|
||||
* AWS ALB/CLB
|
||||
* NGINX
|
||||
* Apache
|
||||
* Squid
|
||||
* Varnish
|
||||
* Kong
|
||||
* Envoy
|
||||
* Apache Traffic Server
|
||||
|
||||
### Exploitation <a href="#exploitation" id="exploitation"></a>
|
||||
|
||||
The original blog post points out that not all servers will forward the required headers for a compliant H2C connection upgrade. This means load balancers like AWS ALB/CLB, NGINX, and Apache Traffic Server amongst others will **prevent a H2C connection by default**. However, at the end of the blog post, he does mention that “not all backends were compliant, and we could **test with the non-compliant `Connection: Upgrade` variant, where the `HTTP2-Settings` value is omitted** from the `Connection` header.”
|
||||
|
||||
{% hint style="danger" %}
|
||||
Note that even if the `proxy_pass` URL (the endpoint the proxy forwards the connection) was pointing to a specific **path** such as `http://backend:9999/socket.io` the connection will be stablished with `http://backend:9999` so you can **contact any other path inside that internal endpoint abusing this technique. So it doesn't matter if a path is specified in the URL of proxy\_pass.**
|
||||
{% endhint %}
|
||||
|
||||
Using the tools [**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler) **and** [**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler) you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.
|
||||
|
||||
Follow this link for[ **more info about this vulnerability in Nginx**](../network-services-pentesting/pentesting-web/nginx.md#proxy\_set\_header-upgrade-and-connection).
|
||||
|
||||
## References
|
||||
|
||||
* [https://blog.assetnote.io/2021/03/18/h2c-smuggling/](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)
|
||||
* [https://bishopfox.com/blog/h2c-smuggling-request](https://bishopfox.com/blog/h2c-smuggling-request)
|
||||
|
||||
<details>
|
||||
|
||||
@ -58,5 +87,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user