HTTP Connection Request Smuggling

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Connection state attacks

First-request validation

Reverse proxies often use the Host header to identify which back-end server to route each request to, and have a whitelist of hosts that people are allowed to access.

However, some proxies only apply this whitelist to the first request sent over a given connection. This means attackers can gain access to internal websites by issuing a request to an allowed destination, followed by one for the internal site down the same connection:

GET / HTTP/1.1
Host: redacted

GET / HTTP/1.1
Host: intranet.redacted

Mercifully, this mistake is quite rare.

First-request routing

First-request routing occurs when the front-end uses the first request's Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.

GET / HTTP/1.1
Host: example.com

POST /pwreset HTTP/1.1
Host: psres.net

This could be chained with Host header attacks like password reset poisoning, web cache poisoning, and gaining access to other virtual hosts.

{% hint style="info" %} You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler. {% endhint %}