Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hello friends.I am CodeNinja a.k.a. Aakash Choudhary.
- As I promised to make tutorial on HTTP HEADER ATTACK to my friend Tayyab Qadir [Leet Kid :P] so now i am making this
- tutorial so keep watch and learn Thanks.
- If you want to learn this attack you should understand HTTP first. Here is some important sites :->
- 1. http://code.tutsplus.com/tutorials/http-the-protocol-every-web-developer-must-know-part-1--net-31177
- 2. http://code.tutsplus.com/tutorials/http-the-protocol-every-web-developer-must-know-part-2--net-31155
- 3. http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
- 4. http://code.tutsplus.com/tutorials/using-web-debugging-proxies--net-29828
- 5. http://www.sans.org/reading-room/whitepapers/testing/penetration-testing-web-application-dangerous-http-methods-33945
- 6. http://learn.onemonth.com/understanding-http-basics
- 7. https://danielmiessler.com/study/http/
- All above are very very awesome for understand HTTP.
- Step 1:- What is HTTP & cause or harm by this attack ?
- ANS :- Web servers often broadcast server information by default.
- This can include information such as the operating system (Linux, Windows, etc),
- the operating system version, what kind of web server you are running (IIS, Apache, etc.) and
- in some cases web server modules installed.
- This information is stored in http headers, and sent along with every web page request made by a user visiting your page.
- As a result, it is very easy for anyone to find out what kind of settings such a server is using.
- By itself, this information is harmless, although it does give away some information about your website setup.
- A dedicated attacker can use this information to find and craft attacks specific to your system,
- or automated attacks may search for specific configurations to attack.
- Although it is difficult to prevent someone from finding this information using other methods,
- disabling server headers reduces the likelihood of attacks on the site.
- I know how to secure website from this attack :D but not much full but atleast i know :P
- Step 2:- How many ways there to attack on HTTP ?
- ANS :- Here what i saw on this attack possible :-
- 1. HTTP REQUEST SMUGGLING :- Cache Poisoning,Session Hijaking,XSS
- 2. HTTP RESPONSE SPLITTING :- Cross-User Defacement,Cache Poisoning,XSS,Page Hijacking
- 3. HTTP Parameter Polution Attack
- We must know about Header types in HTTP & Status Code like 200,301,404
- Must to know Important Headers :- https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- We must know about HTTP Methods :-
- -------------------------------------------------
- GET
- POST
- TRACE
- DELETE
- PUT
- HOST
- X-FORWARDED-FOR
- Referer
- User-agent
- HTTPOnly
- OPTIONS
- CONNECT
- NOTE: If we while inspecting HTTP see this :- Allow: GET,HEAD,POST,TRACE,OPTIONS Then it is good news for us because
- now we know that what methods are allow in target website and we can do many attacks based on this :D.
- Most applications only use few HTTP headers:
- Referer: to know where the clients come from
- Cookie: to retrieve the cookies
- User-Agent: to know what browser users use like :Mozilla
- X-Forwarded-For: to get the source IP address (even if it's not the best method to do this).
- The Host header is mainly used by the web server to know what web site you are trying to access
- If we put the IP address in the Host header or an invalid hostname, we can sometimes get another website and
- get extra-information from this.
- ------------------------------------------------
- Requirements :-
- -------------------------------------------------
- 1. RefControl addon
- 2. User-Agent Switcher
- 3. Netcat
- 4. Wireshark
- 5. TELNET
- 6. NMAP
- 7. HTTP HEADERS
- 8. Burpsuite
- We should have understanding of above things.
- --------------------------------------------------
- STEP 3:- Identify Vulnerability
- ANS:- Check everything to detect vulnerability in any website. Like to identify HTTP HEADER ATTACK vulnerability on
- website just open site and check its REQUEST & RESPONSE in Headers. We can use WIRESHARK,BURPSUITE or HEADER addons
- LIKE :-
- Web applications that do not properly sanitize user input before using it as an HTTP header value are vulnerable
- to header injection (also called Response Splitting).
- Now i am explaining ===> HTTP HEADER ATTACK
- HTTP headers have the structure “Key: Value”, where each line is separated by the CRLF combination.
- If the user input is injected into the value section without properly escaping/removing CRLF characters
- it is possible to alter the HTTP headers structure.
- A CRLF (New line) injection adding malicious characters into HTTP headers without proper input filtering.
- HTTP Response Splitting is a application attack technique which enables various new attacks
- such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and XSS.
- The attacker sends a single HTTP request that forces the web server to form an output stream,
- which is then interpreted by the target as two HTTP responses instead of one response.
- You see CRLF combination. What is this ? This is :- Carriage Return (\n) + Line Feed(\r)
- So what is actually HTTP ? This is a Protocol which is used to communicate between Our Browser and Web Server.
- REQUEST & RESPONSES is what important thing in HTTP.
- HTTP Request :- When we fill form anc click SUBMIT button then it goes to Web Server where Web Server check is that
- filling form is correct or not so this is called REQUEST.
- HTTP RESPONSE :- So when Web Server show us message like Form is submitted or if we login successfully then we login
- on page so this is what Web Server give Response of what we Request.
- So if we fill log in details by inputing our name & password and then INSPECTING HTTP using tools like BURPSUITE or
- HTTP HEADER addons and see is our input is not sanitizing by web server then we can Attack :P
- GENERATE HTTP TRAFFIC :-
- We can use telnet or netcat for this purpose
- e.g. :-
- 1. telnet 192.168.56.102/vulnerable 80
- GET / HTTP/1.1
- Host: 192.168.56.102/vulnerable
- NOTE: Some time we see 400 Bad Request so we can also try this HTTP/1.0 instead of HTTP/1.1
- 2.Also can use this
- echo "GET /HTTP/1.0\r\nHost:vulnerable\r\n\r\n" | nc vulnerable 80
- Where \r\n is our CRLF Remember I discussed about this already above :P
- We can also use %0d or %0a instead of \r or \n respectively
- We can use many important things like HTML ENCODING,DOUBLE ENCODING,URL ENCODING because somethimes it can be very
- HELPFUL :D
- 3. Also we can try with JEFF method instead of GET. If you try with JEFF method and see Response 200 OK then it is
- vulnerable with JEFF method BUT if we see 405 or 501 error then JEFF method not work.
- 4.HOST :- It is a header that allows a web server to host multiple websites on the same IP address
- ############################# HTTP REQUEST #############################
- This is what happens when you open your browser and navigate to www.google.com.
- An HTTP request to www.google.com is initiated.
- GET / HTTP/1.1
- Host: www.goole.com
- Accept: text/html
- User-Agent: Mozilla/5.0 (Windows; U;
- Windows NT 6.1; it; rv:1.9.2.2)
- Gecko/20100316 Firefox/3.6.2 GTBDFff
- GTB7.0
- Connection: keep-alive
- What we see here are the Headers, called HTTP Request Headers for this request.
- Now lets understand the above Requests one by one.
- 1.) GET / HTTP/1.1 ---> Request Method
- This is the type of our request (also known as HTTP Verb).
- GET is the request type when we type a website URL in our location bar and hit enter.
- Other Verbs are POST, PUT,DELETE, OPTIONS, TRACE etc etc
- 2.) / ---> Path
- This is the file we are requesting.
- The home page of a website is always "/".
- Other pages can be requested such as: /downloads/index.php.
- We always refer to the root folder to specify the requested file (hence the leading "/").
- 3.) HTTP/1.1 ---> Protocol
- This is the HTTP protocol version our browser is talking.
- This basically hints the web server which language will be used in the communication
- 4.) Host: www.google.com ---> Host header
- This is the beginning of HTTP Request Headers.
- HTTP Headers have the following structure: Header-name:Header-value.
- The Host header allows a web server to host multiple websites on the same IP address.
- This means that we will have to specify which website we are interested in, in the Host header.
- www.google.com <---- This is Host Value
- After each Request header we find its corresponding value.
- In this case we want to reach the host --> www.google.com.
- Note: Host value + Path makes the full URL we are requesting: The home page of www.google.com.
- 5.) Accept: text/html ----> Accept Header
- This header is used by the browser to specify which document type is expected as the result of this request.
- 6.) User-Agent: Mozilla/5.0 (Windows; U;
- Windows NT 6.1; it; rv:1.9.2.2)
- Gecko/20100316 Firefox/3.6.2 GTBDFff
- GTB7.0
- -----> Host User Agent
- The user agent reveals the browser version, operating system and language to the remote web server.
- All web browsers have their own identification user agent.
- This is how most web site recognize the type of browser in use.
- 7.) Connection: keep-alive ----> Header Connection
- With HTTP 1.1 we can keep our connection to the remote web server open for a given time using the value "Keep-alive".
- All the requests to the web server will go through this connection
- without reinstating a new connection every time (as in HTTP 1.0).
- ################################################################################################################
- ###################### HTTP RESPONSE ##########################
- In response to the HTTP Request,
- the web server will respond with the requested resource preceded by a number of Headers.
- These headers will be used by the web browser to interpret the content carried in the Response content.
- Check these in HEADERS ===>
- 1.) Cache-Control: private,max-age=0 ==========> Cache Header
- The cache headers allow the Browser and the Server to exchange information about cached contents.
- Cached contents save bandwidth because prevent the browser from requesting unmodified contents when the
- same resource is to be used.
- 2.) Server:gws ========> Server Header
- The Server header advertises the banner of the Web Server. Apache and IIS are common web servers.
- In above example Google uses a custom webserver banner as "gws" (Google
- Web Server).
- 3.) Via: 1.0 .:8001(squid) ======> Via Header
- The Via header is present when a connection has traversed a proxy.
- A proxy is a special web server that caches contents for faster delivery
- 4.) <PAGE CONTENT> =====> Content
- This is the content of the requested resource.
- The content can be a web page html, a document, or a binary file.
- The type of content is contained in the Content-type header.
- Take a look on HTTP Response Splitting Attack :-
- ############################### HTTP RESPONSE SPLITTING #########################################
- The idea behind it is, you find a website that takes user submitted data, and writes it to the HTTP header.
- An example of this is a Location: redirect. Heres the PHP code that takes a website, and redirects you to it.
- http://site.com/redirect.php?page=http://www.google.com
- <?php
- header("Location: $_GET['page']");
- ?>
- In this attack we have to see Response COdes like 200 OK,404,302 etc etc.
- SCENARIO :-
- Consider a server which accepts user input through some form or search or anything which is sent as POST data.
- The server does not sanitize the user input, allowing the user to enter any arbitrary data.
- Each line in HTTP header is separated by CR/LF.
- CR means carriage return and LF means line feed, this is crucial while parsing because it tells the end of line.
- The attacker cleverly crafts another request inside the input field.
- Suppose in headers if we see " lang=en " has user influence, so the attacker can send data as :
- 1. The value ‘en’.
- 2. CR/LF – %0d%0a for Windows or %0a for Linux
- 3. A response with Content Length 0 [we don’t bother about this response.]
- 4. CR/LF – %0d%0a for Windows or %0a for Linux
- 5. A response which contains malicious content
- [For e.g. Javascript which will download malware when the page is visited]
- Note :- If we are WINDOWS user we use CR/LF & if we are LINUX user we use LF
- What we can do with HTTP Response Splitting Attack ? ---->
- – Cross-site Scripting (XSS) attacks
- – Cross User Defacement
- – Web Cache Poisoning
- – Page Hijacking
- – Browser Cache Poisoning
- – Browser Hijacking
- Now in next section i am including *ATTACK* section as example so that we learn more but remember i will teach
- practically attack in my 2nd Part of Tutorial.
- ################# HTTP Response Splitting - The Attack examples ########################
- • An HTTP message response includes two parts :
- – Message Headers – metadata that describes a request or response
- - Each terminated by a carriage return (\r) and a linefeed (\n) (But remember about OS like window or chrome)
- GET http://www.google.com/ HTTP/1.1\r\n
- Host: www.google.com\r\n
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
- rv:1.9.0.1; Google-TR-5.7.806.10245-en) Gecko/2008070208
- Firefox/3.0.1 Paros/3.2.13\r\n
- Accept: text/html,application/xhtml+xml,application/xml;
- q=0.9,*/*;q=0.8\r\n
- Accept-Language: en-us,en;q=0.5\r\n
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
- Keep-Alive: 300\r\n
- Proxy-Connection: keep-alive\r\n
- Please notice \r\n there :D
- • Then the Message Body which is the raw data of the response
- <HTML>\r\n
- <HEAD>\r\n
- <TITLE>Your Title Here</TITLE>\r\n
- </HEAD>\r\n
- <BODY>\r\n
- </BODY>\r\n
- ...
- </HTML>\r\n
- • The Message Headers are also separated from the message body a carriage return/linefeed pair
- GET http://www.google.com/ HTTP/1.1 \r\n
- Host: www.google.com \r\n
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1; Google-TR-
- 5.7.806.10245-en) Gecko/2008070208 Firefox/3.0.1 Paros/3.2.13 \r\n
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \r\n
- Accept-Language: en-us,en;q=0.5 \r\n
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \r\n
- Keep-Alive: 300 \r\n
- Proxy-Connection: keep-alive \r\n
- \r\n
- <HTML>
- <HEAD>
- <TITLE>Your Title Here</TITLE>
- • Those two consecutive carriage-return-linefeed pairs are the source of
- HTTP response splitting vulnerabilities
- • The HTTP response splitting vulnerability is not the attack, it is simply the
- path that makes it possible
- • The key to the attack is ability for an attacker to modify the message
- headers
- • HTML is stateless, so neither the web server nor the browser has any
- problem with this seemingly odd behavior
- ------------------------------------------------------------------------------------------
- • Now Let’s understand how a normal page redirection works in HTTP
- – Example: A page containing a redirect script:
- protected void processRequest(HttpServletRequest aRequest, HttpServletResponse
- aResponse) throws ServletException, IOException {
- redirect(“http://www.new-url.com”, aResponse);
- }
- – A request like:
- – would redirect to:
- http://www.test.com/offer.jsp?page=http://www.test.com/freechecking
- – How do the headers work behind the scenes?
- http://www.test.com/freechecking
- • Under the hood, the request is ->
- GET /latestoffer.jsp?page=http://www.test.com/freechecking HTTP/1.1\r\n
- Host: www.bank.com \r\n
- ...
- \r\n
- • The server responds with an HTTP 302 (redirect)
- HTTP/1.1 302 Found \r\n
- ...
- Location: http://www.test.com/freechecking \r\n
- NOTE: THIS COULD BE THE USER INPUT IN HEADER
- ...
- \r\n
- • The browser then fetches the new page
- GET / HTTP/1.1 \r\n
- Host: http://www.test.com/freechecking \r\n
- ...
- \r\n
- • The server responds with HTTP 200 (found) and the page
- HTTP/1.1 200 OK \r\n
- ...
- \r\n
- • But the user can input something that terminates the response and initiates an attack
- For Window user :-
- /latestoffer.jsp?page=anything%0d%0aContent-
- Length:%200%0d%0d%0a%0aHTTP/1.1%20200%20OK%0d
- %0aContent-Type:%20text/html%0d%0a
- Content-Length:%2019%0d%0a%0d%0a<html>Attack</html>
- For Linux User :-
- /latestoffer.jsp?page=anything%0aContent-
- Length:0%0a%0aHTTP/1.1 200 OK
- %0aContent-Type: text/html %0a
- Content-Length: 19%0a%0a<html>Attack</html>
- URL Encoded is important --->
- - ":" by %3A
- - "space" by %20
- - "carriage return" by %0A
- - "," by %2c
- - "/" by %2F
- - "<" by %3C
- - ">" by %3E
- Use this site for this purpose :- http://yehg.net/encoding/
- Now come to the that attack example again :-
- /latestoffer.jsp?page=anything%0d%0aContent-
- Length:%200%0d%0d%0a%0aHTTP/1.1%20200%20OK%0d
- %0aContent-Type:%20text/html%0d%0a
- Content-Length:%2019%0d%0a%0d%0a<html>Attack</html>
- There notice -> Content-Length:%2019%0d%0a%0d%0a<html>Attack</html>
- - Remember that we need two \r\n sequences between the headers and the body
- This results in ---->
- HTTP/1.1 302 Moved Temporarily
- Location: http://www.test.com/latestoffer.jsp?page=anything <--- HTTP RESPONSE
- Content Length: 0
- HTTP/1.1 200 OK ---------|
- Content-Type: text/html | We INSERTED HTTP Response
- Content-Length: 19 |
- <<Anything you want>> ---------|
- Then :-
- Server: gws ---------|
- Content-Type: text/html | This is what Superfluous Data mean which is our expecting data
- Content-Length:%2019 |
- <html>Attack</html> |
- ..... ---------|
- Explanation :-
- • The dangerous part of this, is <<Anything you want>>
- • A script that can take over the user's browser or steal cookie information
- – A redirection to a different host and web page
- – A page that mimics another site and collect credentials
- – It can poison the web cache leading to site defacement
- • However, the exploit is not complete
- • There are now two responses, but only one request
- • The web server will simply hold the second response
- • The attacker has to issue another request
- • In the simplest case, simply send http://www.test.com
- • How the attacker does this is dependent on the situation and the attackers goals
- See the following example of cache poisoning -->
- First Understand :->
- – A site has a proxy server for web pages
- – The attacker and victims are behind the proxy server
- – When a response is received by the proxy server, it saves it to answer future requests
- – So the proxy server saves both responses from the attack
- – If the second response defaces a real page, or creates a page with a malicious
- JavaScript embedded, everyone on the network will get it
- Second - Browser Cache Poisoning :->
- • We creates an HTTP Response Splitting attack based on a URL
- http://somesite.com/start.php?first=xxx<script> ...
- </script>&lang=fr%0d%0aContent-Length:0%0d%0a
- HTTP/1.1%20200%20Found%0d%0aContent-
- Length:550%0d%0a ...
- • and seduces a victim into clicking on it
- • The web servers first response contains a Cross-site Scripting attack
- • The script issues an Ajax request that sends the second request
- • And the victim’s web cache (and any proxy server) is poisoned
- Now the main question arise in every's mind is that how we can DISCOVER this attack? Yeah i know i know but don't
- worry. I am here to tell you this too.So lets start :
- ************************ HTTP Response Splitting Discovery ****************************
- • Check for any data outside of the Trust Boundary that is used in any HTTP header
- – Try inserting a carriage return/linefeed pair i.e. \r(%0a) or \n(%20) to see it is allowed to pass through
- – If so, we have a vulnerability
- – Be suspicious of redirects in code – they often use information stored in the client
- • Be aware that Post data can also be used in an attack
- – It may be advantageous, because URL's have limited length
- – It requires that the attack be perpetrated via a script so it is more difficult to implement
- Useful Resources :-
- 1. https://www.mnot.net/cache_docs/
- 2. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html <--- This is useful to understanding HTTP headers
- ###################################################################################################################
- ################################ HTTP REQUEST SMUGGLING (HRS) ###################################
- FROM OWASP :-
- The HTTP Request Smuggling attack explores an incomplete parsing of the submitted data done by an
- intermediary HTTP system working as a proxy. HTTP Request Smuggling consists of sending a specially formatted
- HTTP request that will be parsed in a different way by the proxy system and by the final system,
- so the attacker could smuggle a request to one system without the other being aware of it.
- This attack makes it possible to exploit other attacks, like Cache Poisoning, Session Hijacking, Cross-site Scripting (XSS) and most importantly, the ability to bypass web application firewall protection.
- HRS is can be used to poison web-caches and bypass security solutions such as web application firewalls
- as well as for the delivery of malicious payloads such as worms, viruses, and those used to exploit
- known vulnerabilities in web and application servers.
- OWASP is great to understand this attack as i read :- https://www.owasp.org/index.php/HTTP_Request_Smuggling
- If between Client and Server there is so many HTTP Devices/entities use like Cache Server,Proxy Server,WAF then
- HRS attack is very useful here.
- HRS sends multiple, specially crafted HTTP requests that cause the two attacked devices to see different
- sets of requests, allowing us as attacker to smuggle a request to one device without the other device being aware
- of it.
- It is capable of exploiting small differences in the way HTTP devices deal with illegitimate or borderline requests
- ###################################################################################################################
- ####################### HTTP PARAMETER POLUTION (HPP) #############################
- To understand this attack we have to understand the Behaviour of WEB Technologies.Different web use different technologies.
- Like if you search " header attack " on GOOGLE then you get following result :-
- https://www.google.co.in/?gws_rd=ssl#q=header+attack ---> header attack
- on YAHOO :-
- https://in.search.yahoo.com/search?p=header+attack&fr=yfp-t-704 ---> header attack
- Notice the parameter used by both GOOGLE & YAHOO
- So in this attack our main task is to find out that is parameter vulnerable or not. Mean we have to analyze that
- is application does not sanitize the "PARAMETER" of website URL.
- So this attack is generally use to bypass WAF (Web Application Firewall) by targeting on PARAMETERS.
- As attacker we have to find out the unsanitize parameter of website. Like:-
- Consider this URL:- http://www.testsite.com/category=1&page=2&id=3
- So there is 3 Parameters Developers used.
- - 1. category=1
- - 2. page=3
- - 3. id=3
- So as attacker we have to find out that which parameter out of those 3 is unsanitize so that we perform attack.
- If any of those parameters or all is not sanitize properly then we can perform attack there :D .
- So HPP attacks on HTTP GET/POST parameters by injecting query string
- One of example of HPP :- http://www.testsite.com/Injection=<script&injection=>alert(aakash)></script>
- FROM OWASP :-
- 1.Submit an HTTP request containing the standard parameter name and value, and record the HTTP response. E.g. page?par1=val1
- 2.Replace the parameter value with a tampered value, submit and record the HTTP response. E.g. page?par1=HPP_TEST1
- 3.Send a new request combining step (1) and (2). Again, save the HTTP response. E.g. page?par1=val1&par1=HPP_TEST1
- 4.Compare the responses obtained during all previous steps. If the response from (3) is different from (1) and the response from (3) is also different from (2), there is an impedance mismatch that may be eventually abused to trigger HPP vulnerabilities.
- Also for testing this vulnerability we should check Search Page not login page because ub term of Login page we may get
- Invalid Username or Password
- You see we used & to seperate query, We can also use " ; "
- NOTE: It doesn't mean that we see these parameters in URL only. We can also see these parameters in HTTP Headers.
- LIKE :-
- - Cookie: par=1; par=2
- Very Good Resources :=>
- 1. https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
- 2. http://www.slideshare.net/embyte/http-parameter-pollution-vulnerabilities-in-web-applications-black-hat-eu-2011
- #####################################################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement