CLi tools helping to forge HTTP smuggling attack and others

(httpcustomhouse)
Analyze smuggled request without interacting with remote server. ^{(use it)}

(httpoverride)
Manipulate HTTP raw request to sharpen attack. ^{(use it)}

(httpclient)
Send HTTP raw request to perform the attack . ^{(use it)}

👁️ • 🔨 • 📬

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests (more). The aim is to perform request smuggling from command line. It can't totally replace Burp Suite (or other GUI) but it proposes another approach, with more CLi. In order to offer a fully CLi experience while manipulating HTTP packets, these tools can be used with httpecho which could help construct HTTP raw request.

Why That?

• To learn
• Be able to solve challenge from CLi helps us to script resolution, automate exploit etc ...
• curl, go http client, ncat, openssl s_client aren't fully satisfying especially when dealing with "malformed http request"

Real examples:

• Forge TE.CL request smuggling attack
• Forge CL.TE request smuggling attack
• Exploit CL.TE [2] [3]
• Exploit TE.CL

> allow you to reproduce HTTP request processing without interacting with online server

Show corresponding request treated by a server based on Content-Length Header treatment:

cat samples/te.cl | httpcustomhouse -cl

If the Content-Length is larger than the body size, the number of remaining bytes will be echoed

Show corresponding request treated by a server based on chunk encoding treatment:

cat samples/cl.te | httpcustomhouse -te

Show the residue of the request that has not been treated (in stderr):

cat samples/cl.te | httpcustomhouse -te -r
# -r (or --residue) works also for -cl

Demo: (🖼️) Visualize TE.CL

> help to modify http request

Override/Modify Header of an HTTP request:

cat [raw_request] | httpoverride -H "Content-Length:55" -A "Host: spoofed.com"
# -A add header, -H override header

Remove Header of an HTTP request:

cat [raw_request] | httpoverride -H "Accept:" # or -H "Accept"

> transmit HTTP request to server (HTTP client)

Send a HTTP raw request:

cat [raw_request] | httpclient [protocol]:[url]:[port]  # port is falcultative https -> 443, http -> 80

Send request and see response in browser:

cat [raw_request] | httpclient -B [protocol]:[url]:[port]  # -Bc use cookie for future requests in browser
# Open browser and visit the link displayed

# From Release:
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpcustomhouse && chmod +x httpcustomhouse
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpoverride && chmod +x httpoverride
curl -lO -L https://github.com/ariary/HTTPCustomHouse/releases/latest/download/httpclient && chmod +x httpclient
# With go:
go install github.com/ariary/HTTPCustomHouse/cmd/httpcustomhouse@latest
go install github.com/ariary/HTTPCustomHouse/cmd/httpclient@latest
go install github.com/ariary/HTTPCustomHouse/cmd/httpoverride@latest

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests. It was discover in 2005, and repopularized by PortSwigger's research.

It happends when users send requests to a front-end server (load balancer or reverse proxy) and this server forwards requests to one or more back-end servers.

When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection (efficient and performant). The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins. HTTP request smugging consist of luring backend server in its HTTP request parsing to make requests getting interpreted differently by the front-end and back-end systems (failed to adequatly determine begins & ends of requets)

We have 3 possibilities:

• CL.TE: Front end uses Content-Length header and the back end uses Transfer-Encoding
• TE.CL: Front end: Transfer-Encoding, back end: Content-Length. (Fake Content-Length)
• TE.TE: Both server use Transfer-Encoding but one of those can be induced to not process it by obfuscating the header in some way

As httpcustomhouse uses raw HTTP request as input you need to be able to construct it. There are several ways:

• Intercept request with burp, mitmproxy and save it to a file
• Use curl and an HTTP echo-server to see sent request and save it to a file (SUGGESTED)
• Take inspiration from the templates present in samples directory

⚠️: It is important to embed \r character and other special characaters in your request file. Edit request with an editor could withdraw them. use cat -A to see them. For example, in chunk encoding the final 0 must be followed by \r\n\r\n.

First, set up an echo server:

httpecho -d raw
# will save request in "raw" file

And then Make your curl request specifying your echo server as a proxy (the request won't reach the end server):

curl --proxy http://localhost:[port] ...REQUEST...

Constantly server + see \r character

The one-liner:

socat -v -v TCP-LISTEN:8888,crlf,reuseaddr,fork SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; cat"

Serve 1 request + save it in a file

The one-liner:

nc -lp 8888 -c "tee myfile"
## or nc -nlvp 8888 > myfile  2>/dev/null &

As we deal with HTTP raw request we must be able to send them. httpclient is the equivalent of curl for raw request.

Why?

• curl & go http client rewrite http request (this is not satisfying for web pentest in general)
• ncat and openssl s_client aren't fully satisfying also

cat [raw_request] | httpclient https://[URL]:[PORT]

When you request is good, send it:

cat [raw_request] | openssl s_client -ign_eof -connect [target_url]:443
#or use ncat from nmap package
cat [raw_request]| ncat --ssl [target_url] 443
# or if target does not use tls/ssl
cat [raw_request] | nc -q 5 [target_url] 80 # or -w 5