Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

HTTP Smuggling is the process of two HTTP parsers parsing data differently and this difference being able to smuggle unintended data through the pipeline. A simple example would be Nginx alongside NodeJS; both implementations need to parse the data.

HTTP trailers are extra header fields transmitted after the body in a chunked transfer encoding in HTTP/1.1. Although they are defined in the specification, they are rarely used in practice, besides gRPC. Many servers, such as HAProxy, simply ignore or discard trailers altogether. The specification specifically states that only an allowlist of headers should be mergeable, such as the Digest. But anything else, such as the content length, must be ignored.

By abusing implementations that simply merge all headers, it's possible to bypass various security protections. For instance, you can spoof the host header or smuggle in the x-forwarded-for header. An additional attack vector is manipulating request boundaries by smuggling in Content-Length or Transfer-Encoding headers.

lighthttpd merged trailers post-dechunking. This allowed overwriting Content-Length to change the packet's meaning entirely. This project adds an extra Connection: close to make it not useful, though. There's a theoretical workaround for this, but I'm unsure how practical it is. Some HTTP servers will only close if it's the only entry. If lighthttpd sees a TE encoding, it will add it to the connection header. If the downstream server ignores the close because of this extra value, the smuggling is still possible.

Apache Traffic Server and Pound to not validate trailers, allowing for hidden HTTP headers to be added. EventLet, after reading the chunked body of an HTTP request, skips trailer parsing entirely. If the front-end server sees the request with trailers but eventlet ignores them, this forces eventlet parse an additional request.

In http4s, the trailer parser terminates early. If a trailer header doesn't contain a colon, parsing completely stops. This again makes the server parse more than one request from the original request. Overall, using HTTP garden, they found 13 variations of this across HTTP servers. Some were just header smuggling, while others were real request smuggling.

Most HTTP clients do not support trailers. To do this research, the author had to create a tool. They even have an intentionally vulnerable app to play around with and a CTF challenge too. The post seems to take inspiration from this post but just takes it a step further. It pays to create unique tooling and read on what else is happening in the space. Great work!