coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#2829] update

Browse Source
This commit is contained in:
CPol 2021-11-06 01:29:12 +00:00 committed by gitbook-bot
parent 6eca472f9e
commit 6e1294c67c
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
9 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.gitbook/assets/image (641) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 255 KiB

BIN
.gitbook/assets/image (641).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 255 KiB

After

Width:  |  Height:  |  Size: 280 KiB

BIN
.gitbook/assets/image (660) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
.gitbook/assets/image (660).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 68 KiB

After

Width:  |  Height:  |  Size: 170 KiB

BIN
.gitbook/assets/image (661) (1).png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
.gitbook/assets/image (661).png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 133 KiB

After

Width:  |  Height:  |  Size: 245 KiB

1
pentesting-web/http-request-smuggling/README.md
View File

@ -519,3 +519,4 @@ def handleResponse(req, interesting):
* [https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4](https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4) * [https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4](https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4)
* [https://github.com/haroonawanofficial/HTTP-Desync-Attack/](https://github.com/haroonawanofficial/HTTP-Desync-Attack/) * [https://github.com/haroonawanofficial/HTTP-Desync-Attack/](https://github.com/haroonawanofficial/HTTP-Desync-Attack/)
* [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html) * [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html)
* [https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/](https://standoff365.com/phdays10/schedule/tech/http-request-smuggling-via-higher-http-versions/)

25
pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
View File

@ -54,6 +54,16 @@ In this case the injection was performed inside the request line:
![](<../../.gitbook/assets/image (640).png>) ![](<../../.gitbook/assets/image (640).png>)
### URL Prefix Injection
Inside the scheme of the HTTP/2 connection you might be able to send a full URL that will overwrite the one indicated in the path:
![](<../../.gitbook/assets/image (661).png>)
### Request Line Injection via spaces
![](<../../.gitbook/assets/image (641).png>)
## Frontend->backend connection reuse ## Frontend->backend connection reuse
Sometimes you will find that preforming a HTTP Request Smuggling attack **you can only attack yourself**. This could be because the reverse proxy has decided to **use a different connection with the back-end** server per IP. Sometimes you will find that preforming a HTTP Request Smuggling attack **you can only attack yourself**. This could be because the reverse proxy has decided to **use a different connection with the back-end** server per IP.
@ -103,3 +113,18 @@ In this scenario a **HEAD** request to the **URL** **whose** **cache** is going
Due to the fact the the **HEAD response contains the `Content-Type: text/html`** and because the reverse proxy thinks that the **whole response to the smuggled request is the body of the HEAD** request, the **XSS payload** is going to be **treated as HTML** even if the page wasn't vulnerable to XSS. Due to the fact the the **HEAD response contains the `Content-Type: text/html`** and because the reverse proxy thinks that the **whole response to the smuggled request is the body of the HEAD** request, the **XSS payload** is going to be **treated as HTML** even if the page wasn't vulnerable to XSS.
![](<../../.gitbook/assets/image (659).png>) ![](<../../.gitbook/assets/image (659).png>)
## Hidden HTTP/2
Usually servers advertise the support via ALPN field in TLS handshake, but some doesn't.
It can be easily detected using `curl --http2 --http2-prior-knowledge`
## Tools
* Burp extension: HTTP Request Smuggler
* [https://github.com/neex/http2smugl](https://github.com/neex/http2smugl)
## References
* This talk explains perfectly all the techniques indicated here: [https://www.youtube.com/watch?v=rHxVVeM9R-M](https://www.youtube.com/watch?v=rHxVVeM9R-M)

2
pentesting-web/http-response-smuggling-desync.md
View File

@ -116,7 +116,7 @@ He will send a **exploit** like:
After the first request is resolved and sent back to the attacker, the **victims request is added into the queue**: After the first request is resolved and sent back to the attacker, the **victims request is added into the queue**:
![](<../.gitbook/assets/image (661).png>) ![](<../.gitbook/assets/image (661) (1).png>)
The victim will receive as response the **HEAD response + the content of the second request response (containing part of the reflected data):** The victim will receive as response the **HEAD response + the content of the second request response (containing part of the reflected data):**