What did stand out as interesting was the "Host" header, and I started to wonder what would happen if I tried to sneak this header through to back-end servers. There are probably some headers that API gateway uses internally which would be interesting, but I was unable to identify any of these. When retesting, I noticed that I could still smuggle headers through to the back-end server using the same mutation, leading me to wonder if there were any other interesting headers worth trying. Cache PoisoningĪWS promptly fixed the IP restriction bypass after I reported it to them. However, it still acts as a nice example of how header smuggling can be used to bypass rate limiting. Unfortunately, it wasn't possible to cycle different values or valid IP addresses in this header keep gaining five more attempts, meaning the impact of this bug is minimal. However, adding "X-Forwarded-For:z" to the request allowed 5 more requests to be made. Cognito is an authentication provider which you can integrate into your applications to help handle authentication.Īfter five requests to the “ConfirmForgotPassword” or “ForgotPassword” targets in a short period of time, my IP address was temporarily blocked. I discovered a similar, but very minor, bug in AWS Cognito during a penetration test. It turned out that adding the header "X-Forwarded-For abcd: z" to requests allowed IP restrictions from AWS resource policies to be bypassed in API gateway. The following examples are mutated versions of the "Content-Length" header: A mutation is simply an obfuscation of a header. The method developed by this research to identify header smuggling vulnerabilities determines whether a "mutation" can be applied to a header to allow it to be snuck through to a back-end server without being recognised or processed by a front-end server. I will then discuss how the methodology used to find these vulnerabilities can also be adapted to safely detect request smuggling based on multiple "Content-Length" headers (CL.CL request smuggling) in black-box scenarios. I will show how this led to bypassing of IP restrictions in AWS API Gateway, as well as an easily exploitable cache poisoning issue. Using header smuggling, it is possible to bypass this filtering and send information to the back-end server which it treats as trusted. To provide this information accurately, front-end servers must filter out the values of these headers provided by the client, which are untrusted and cannot be relied upon to be accurate. However, this model is sufficient to understand and develop the attacks presented in this article, as well as most of the recent research into attacking chains of servers.īack-end servers often rely on front-end servers providing accurate information in the HTTP request headers, such as the client's IP address in the "X-Forwarded-For" header, or the length of the request body in the "Content-Length" header. There may be multiple front-end and back-end servers, and front-end and back-end servers are often themselves chains of multiple servers. This model is often a simplification of reality.
ABYSS WEB SERVER TIMEOUT CODE
This is where the application's server-side code runs. A "back-end" server which the front-end server forwards requests to.These servers typically handle caching and load balancing, or act as web application firewalls (WAFs). A "front-end" server which directly handles requests from users.
BackgroundĪ chain of HTTP servers used by a web application can often be modelled as consisting of two components:
This paper presents a new technique for identifying header smuggling and demonstrates how header smuggling can lead to cache poisoning, IP restriction bypasses, and request smuggling. Much of this exploration, especially recent request smuggling research, has developed new ways to hide HTTP request headers from some servers in the chain while keeping them visible to others – a technique known as "header smuggling". The attack surface created by this forwarding is increasingly receiving more attention, including the recent popularisation of cache poisoning and request smuggling vulnerabilities. Modern web applications typically rely on chains of multiple servers, which forward HTTP requests to one another.
0 kommentar(er)
