CLi tools helping to forge HTTP smuggling attack and others
(httpcustomhouse)
Analyze smuggled request without interacting with remote server. (use it)
(httpoverride)
Manipulate HTTP raw request to sharpen attack. (use it)
(httpclient)
Send HTTP raw request to perform the attack . (use it)
👁️ • 🔨 • 📬
HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests (more). The aim is to perform request smuggling from command line. It can't totally replace Burp Suite (or other GUI) but it proposes another approach, with more CLi. In order to offer a fully CLi experience while manipulating HTTP packets, these tools can be used with httpecho which could help construct HTTP raw request.
Why That?
- To learn
- Be able to solve challenge from CLi helps us to script resolution, automate exploit etc ...
curl, go http client,ncat,openssl s_clientaren't fully satisfying especially when dealing with "malformed http request"
Real examples:
- Forge
TE.CLrequest smuggling attack - Forge
CL.TErequest smuggling attack - Exploit
CL.TE[2] [3] - Exploit
TE.CL
> allow you to reproduce HTTP request processing without interacting with online server
Show corresponding request treated by a server based on Content-Length Header treatment:
cat samples/te.cl | httpcustomhouse -clIf the Content-Length is larger than the body size, the number of remaining bytes will be echoed
Show corresponding request treated by a server based on chunk encoding treatment:
cat samples/cl.te | httpcustomhouse -teShow the residue of the request that has not been treated (in stderr):
cat samples/cl.te | httpcustomhouse -te -r
# -r (or --residue) works also for -clDemo: (🖼️) Visualize TE.CL
> help to modify http request
Override/Modify Header of an HTTP request:
cat [raw_request] | httpoverride -H "Content-Length:55" -A "Host: spoofed.com"
# -A add header, -H override header
Remove Header of an HTTP request:
cat [raw_request] | httpoverride -H "Accept:" # or -H "Accept"> transmit HTTP request to server (HTTP client)
Send a HTTP raw request:
cat [raw_request] | httpclient [protocol]:[url]:[port] # port is falcultative https -> 443, http -> 80Send request and see response in browser:
cat [raw_request] | httpclient -B [protocol]:[url]:[port] # -Bc use cookie for future requests in browser
# Open browser and visit the link displayed# From Release:
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpcustomhouse && chmod +x httpcustomhouse
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpoverride && chmod +x httpoverride
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpclient && chmod +x httpclient
# With go:
go install github.com/ariary/HTTPCustomHouse/cmd/httpcustomhouse@latest
go install github.com/ariary/HTTPCustomHouse/cmd/httpclient@latest
go install github.com/ariary/HTTPCustomHouse/cmd/httpoverride@latestHTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests. It was discover in 2005, and repopularized by PortSwigger's research.
It happends when users send requests to a front-end server (load balancer or reverse proxy) and this server forwards requests to one or more back-end servers.
When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection (efficient and performant). The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins. HTTP request smugging consist of luring backend server in its HTTP request parsing to make requests getting interpreted differently by the front-end and back-end systems (failed to adequatly determine begins & ends of requets)
We have 3 possibilities:
- CL.TE: Front end uses
Content-Lengthheader and the back end usesTransfer-Encoding - TE.CL: Front end:
Transfer-Encoding, back end:Content-Length. (FakeContent-Length) - TE.TE: Both server use
Transfer-Encodingbut one of those can be induced to not process it by obfuscating the header in some way
As httpcustomhouse uses raw HTTP request as input you need to be able to construct it. There are several ways:
- Intercept request with
burp,mitmproxyand save it to a file - Use curl and an HTTP
echo-serverto see sent request and save it to a file (SUGGESTED) - Take inspiration from the templates present in
samplesdirectory
\r character and other special characaters in your request file. Edit request with an editor could withdraw them. use cat -A to see them. For example, in chunk encoding the final 0 must be followed by \r\n\r\n.
First, set up an echo server:
httpecho -d raw
# will save request in "raw" fileAnd then Make your curl request specifying your echo server as a proxy (the request won't reach the end server):
curl --proxy http://localhost:[port] ...REQUEST...Constantly server + see \r character
The one-liner:
socat -v -v TCP-LISTEN:8888,crlf,reuseaddr,fork SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; cat"Serve 1 request + save it in a file
The one-liner:
nc -lp 8888 -c "tee myfile"
## or nc -nlvp 8888 > myfile 2>/dev/null &As we deal with HTTP raw request we must be able to send them. httpclient is the equivalent of curl for raw request.
Why?
curl& go http client rewrite http request (this is not satisfying for web pentest in general)ncatandopenssl s_clientaren't fully satisfying also
cat [raw_request] | httpclient https://[URL]:[PORT]When you request is good, send it:
cat [raw_request] | openssl s_client -ign_eof -connect [target_url]:443
#or use ncat from nmap package
cat [raw_request]| ncat --ssl [target_url] 443
# or if target does not use tls/ssl
cat [raw_request] | nc -q 5 [target_url] 80 # or -w 5