The simplest way to probe for this behavior is by sending a request in which the specified Content-Length is longer than the actual body: The first step in testing for client-side desync vulnerabilities is to identify or craft a request that causes the server to ignore the Content-Length header. Probe for potential desync vectors in Burp.īuild a proof of concept to replicate the behavior in a browser.īoth Burp Scanner and the HTTP Request Smuggler extension can help you automate much of this process, but it's useful to know how to do this manually to cement your understanding of how it works. This ensures that you confirm your assumptions about each element of the attack in stages. Although it may be tempting to jump ahead at times, we recommend the following workflow. Testing for client-side desync vulnerabilitiesĭue to the added complexity of relying on a browser to deliver your attack, it's important to be methodical when testing for client-side desync vulnerabilities. One exception to this rule is if you suspect that your intended victim will access the site via a forward proxy that only supports HTTP/1.1. Client-side desyncs rely on HTTP/1.1 connection reuse, and browsers generally favor HTTP/2 where available. This is appended to the malicious prefix, eliciting a harmful response from the server.Īs these attacks don't rely on parsing discrepancies between two servers, this means that even single-server websites may be vulnerable.įor these attacks to work, it's important to note that the target web server must not support HTTP/2. The JavaScript then triggers a follow-up request down the poisoned connection. The malicious prefix is left on the server's TCP/TLS socket after it responds to the initial request, desyncing the connection with the browser. This contains an attacker-controlled request prefix in its body, much like a normal request smuggling attack. The JavaScript causes the victim's browser to issue a request to the vulnerable website. The victim visits a web page on an arbitrary domain containing malicious JavaScript. In high-level terms, a CSD attack involves the following stages: If they subsequently allow the browser to reuse the same connection for additional requests, this results in a client-side desync vulnerability. Web servers can sometimes be encouraged to respond to POST requests without reading in the body. This can be contrasted with regular request smuggling attacks, which desynchronize the connection between a front-end and back-end server. Not only does this open up new possibilities for server-side request smuggling, it enables a whole new class of threat - client-side desync attacks.Ī client-side desync (CSD) is an attack that makes the victim's web browser desynchronize its own connection to the vulnerable website. However, as we've learned from looking at CL.0 attacks, it's possible to cause a desync using fully browser-compatible HTTP/1.1 requests. This limits these attacks to websites that use a front-end/back-end architecture. Twitter WhatsApp Facebook Reddit LinkedIn EmailĬlassic desync/request smuggling attacks rely on intentionally malformed requests that ordinary browsers simply won't send.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |