4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
153<br />
Web Application Penetration Testing<br />
Gray Box testing<br />
HTTP Splitting<br />
A successful exploitation of HTTP Splitting is greatly helped by<br />
knowing some details of the web application and of the attack<br />
target. For instance, different targets can use different methods<br />
to decide when the first HTTP message ends and when the<br />
second starts. Some will use the message boundaries, as in the<br />
previous example. Other targets will assume that different messages<br />
will be carried by different packets. Others will allocate for<br />
each message a number of chunks of predetermined length: in<br />
this case, the second message will have to start exactly at the<br />
beginning of a chunk and this will require the tester to use padding<br />
between the two messages. This might cause some trouble<br />
when the vulnerable parameter is to be sent in the URL, as a very<br />
long URL is likely to be truncated or filtered. A gray box scenario<br />
can help the attacker to find a workaround: several application<br />
servers, for instance, will allow the request to be sent using<br />
POST instead of GET.<br />
HTTP Smuggling<br />
As mentioned in the introduction, HTTP Smuggling leverages the<br />
different ways that a particularly crafted HTTP message can be<br />
parsed and interpreted by different agents (browsers, web caches,<br />
application firewalls). This relatively new kind of attack was<br />
first discovered by Chaim Linhart, Amit Klein, Ronen Heled and<br />
Steve Orrin in 2005. There are several possible applications and<br />
we will analyze one of the most spectacular: the bypass of an<br />
application firewall. Refer to the original whitepaper (linked at<br />
the bottom of this page) for more detailed information and other<br />
scenarios.<br />
Application Firewall Bypass<br />
There are several products that enable a system administration<br />
to detect and block a hostile web request depending on some<br />
known malicious pattern that is embedded in the request. For<br />
example, consider the infamous, old Unicode directory traversal<br />
attack against IIS server (http://www.securityfocus.com/<br />
bid/1806), in which an attacker could break out the www root by<br />
issuing a request like:<br />
http: /target/scripts/..%c1%1c../winnt/system32/cmd.exe?/<br />
c+<br />
Of course, it is quite easy to spot and filter this attack by the<br />
presence of strings like “..” and “cmd.exe” in the URL. However,<br />
IIS 5.0 is quite picky about POST requests whose body is<br />
up to 48K bytes and truncates all content that is beyond this<br />
limit when the Content-Type header is different from application/x-www-form-urlencoded.<br />
The pen-tester can leverage this<br />
by creating a very large request, structured as follows:<br />
POST /target.asp HTTP/1.1