What's new

Tutorial Multiple host ambiguities in http implementations: exploits in freenet and vpns

crushkitaalammoba

Honorary Poster
Joined
Feb 23, 2015
Posts
279
Reaction
199
Points
136
Age
68
Disclaimer: The content of this post does not reflect of the view or decision of me, phcorner's staff and moderators. The responsibility lies on the user who read this on the outcome of their actions. The content is meant for educational purpose only.

PDF FILE:
Host of Troubles: Multiple Host Ambiguities in HTTP Implementations

#baka kako wala pang nakaka alam or nakabasa neto.

book preview:

ABSTRACT
The Host header is a security-critical component in an HTTP request, as it is used as the basis for enforcing security and caching policies. While the current specification is generally clear on how host-related protocol elds should be parsed and interpreted, we find that the implementations are problematic. We tested a variety of widely deployed HTTP implementations and discover a wide range of non-compliant and inconsistent host processing behaviours. The particular problem is that when facing a carefully crafted HTTP
request with ambiguous host fields (e.g., with multiple Host headers), two different HTTP implementations often accept and understand it differently when operating on the same request in sequence.
...
3. MULTIPLE HOST AMBIGUITIES
Generally, processing an HTTP request can be divided into two phases: in the first phase, the textual message is firstly parsed to recognize valid protocol fields, and the recognized protocol fields are interpreted into a semantic structure; in the second phase, the semantic structure is then used for further actions. A request with invalid protocol fields should be rejected in the first phase with Client Error 4XX responses.
...
We assess the problem of multiple host ambiguities in deployed HTTP systems by conducting black-box testing on a total of 33 widely used HTTP implementations, including 6 servers, 2 transparent caches, 3 forward proxies, 7 reverse proxies, 8 CDNs, and 7 firewalls. Table 1 presents the names and versions of the tested implementations. Some programs support multiple configurations. For these programs, we test their typical working modes and count them as different implementations in corresponding categories. For example, Squid can be configured as three modes: transparent cache, forward proxy, and reverse proxy. We test it in all three modes respectively, and would therefore count this as 3 tested implementations.
...
To look deeper at the number of vulnerable IP addresses across different countries, we listed the top 10 countries in which vulnerable IP addresses in two experiments are distributed, as shown in Figure 5. In this process, we can see that India has the largest number of vulnerable IP addresses, closely followed by the Philippines and Brazil. Apart from that, the amount of IP addresses vulnerable to co-hosting cache poisoning is larger than that of general cache poisoning in most countries, except Philippines. Combined with Table 7, we observed that most vulnerable IP addresses in some countries (such as India, Philippines, China and New Zealand) are concentrated in several ASes.
...
4.1 HTTP Cache Poisoning
The first form of cache poisoning exploits the inconsistency between internal modules of Squid (Transparent Cache) to attack any unencrypted website. Therefore we call it general cache poisoning. The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache (Squid); “attack.com” controlled by the attacker and “victim.com” as the victim site, illustrated in Figure 2.
The attacker first establishes a TCP connection to the HTTP server at “attack.com”. Since the Squid proxy operates in a transparent fashion, it intercepts and mediates this connection. The attacker then issues an HTTP request with “victim.com” in absolute-URI and “attack.com” as Host header over this connection. Squid identifies the request as going to “victim.com”. When it inspects the destination IP address for consistency, however, it mistakenly checks it against the value of the Host header, “attack.com”, rather

outdated info but still works.
download the pdf. attached.
 

Attachments

malay nyo makatulong. sana merong noload trick para sa lahat ng network nyehehehehee

usually ang nandyan is naimplement na ng globe noload config now at iba pang config kaya nababase yung tamang timpla. yung kelangan transparent ang proxy or dapat malakas then dapat naka set ang host sa tamang payload tapos merong connect nangyayari at get at meron dapat niset reverse proxy at naka keep alive na at iba pang method para mkapag poison at mababypass thru custom http headers.
 
Back
Top