0

I came across a HTTP HELP method (https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface chapter "Invalid Host") and asked myself: Are there any more systems that offer something like that?

I was wondering how did the pentester come up with this method.

Google couldn't help me here.

In the specific case, it was about an Apache Traffic Server, whose help could be queried as follows:

HELP / HTTP / 1.1 Host: XX.X.XXX.XX: 8082 HTTP / 1.1 200 Connection Established Date: Tue, 07 Feb 2017 16:33:59 GMT Transfer encoding: chunked Connection: keep-alive OK Traffic Server Overseer Port commands: get <variable-list> set <variable-name> = "<value>" help exit example: OK get proxy.node.cache.contents.bytes_free proxy.node.cache.contents.bytes_free = "56616048" OK Variable lists are conf / yts / stats records, separated by commas

And then applied specifically as follows:

GET / HTTP / 1.1 Host: XX.X.XXX.XX: 8082 Content-Length: 34 GET proxy.config.alarm_email HTTP / 1.1 200 Connection Established Date: Tue, 07 Feb 2017 16:57:02 GMT Transfer encoding: chunked Connection: keep alive ... proxy.config.alarm_email = "[email protected]"
Improve this question

1 Answer 1

Reset to default
0

I figured out the answer:

This is a protocol specially customized for an Apache Traffic Server by Yahoo. Apache Traffic Server allows you to create your own protocols using the "New Protocols Plugin": https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/new-protocol-plugins.en.html.

The protocol created here appears to be line-based.

The scenario was as follows:

An initial load balancer evaluated the host header in the incoming HTTP request in such a way that it forwarded the incoming request to the location entered there. This means that the attacker could determine to which internal location the request should be routed, in this case to an Apache traffic server sitting at IP:Port XX.X.XXX.XX: 8082. The underlying attack was a host header injection (https://portswigger.net/web-security/host-header).

The line-based self-made protocol now evaluated the individual lines of the HTTP request. This is how the information shown was achieved (like explained here https://www.youtube.com/watch?v=zP4b3pw94s0&feature=youtu.be&t=12m40s) .

This means that the attacker was able to address the internal Apache traffic server via an HTTP request and the individual lines of the request were each understood as individual commands.

A HELP command has now been implemented by Yahoo here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.