Http-Request-Smuggling : HTTP Request Smuggling Detection Tool

0
55
PAKURI : Penetration Test Achieve Knowledge Unite Rapid Interface

Http-Request-Smuggling is a high severity vulnerability which is a technique where an attacker smuggles an ambiguous HTTP request to bypass security controls and gain unauthorized access to performs malicious activities, the vulnerability was discovered back in 2005 by watchfire and later in August 2019 it re-discovered by James Kettle – (albinowax) and presented at DEF CON 27 and Black-Hat USA, to know more about this vulnerability you can refer his well-documented research blogs at Portswigger website. So the idea behind this security tool is to detect HRS vulnerability for a given host and the detection happens based on the time delay technique with the given permutes, so to know more about this tool I’ll highly encourage you to read my blog post about this tool.

  • https://portswigger.net/web-security/request-smuggling
  • https://portswigger.net/web-security/request-smuggling/finding
  • https://portswigger.net/web-security/request-smuggling/exploiting

How To Detect HRS Vulnerability?


Based on the earlier research the most common way to detect the HRS vulnerability is to check the application’s response time, if the vulnerability exists then there will be a time delay in response. So there are two different ways to detect this vulnerability.

  • CL.TE
  • TE.CL

Detect (CL.TE) using time delay


To detect (CL.TE) vulnerability in an application you need to smuggle a request like below which causes a delay in response.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 5
Transfer-Encoding:chunked
1
Z
Q

In the above HTTP request the front-end server uses Content-Length header which has a length of 5 which means it will only process the request body up to Z and it won’t include Q in the first request and the back-end server uses Transfer-Encoding header which will process the first chunks of request and waits for the next chunks to arrive which causes a delay in response because as per the front-end server’s content-length it processed only request body of length 5.


Detect (TE.CL) using time delay


To detect (TE.CL) vulnerability in an application you need to smuggle a request like below which causes a delay in response.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 6
Transfer-Encoding:chunked
0
G

In the above HTTP request, the front-end server uses Transfer-Encoding header and in the request body, it sends 0 followed by which means in the first request it will terminate the request up to 0 and forwards the request and left remaining contents of the request body and the back-end server uses Content-Length header which has a length of 6 which waits for more contents to arrive which causes a delay in response.


HRS Detection Tool


By following the portswigger research academy I have developed a detection tool using python and by using the tool we can identify whether the application is vulnerable to (CL.TE) or (TE.CL) and to detect the vulnerability more accurately the tool has built-in payloads which has around 37 permutes and detection payloads for both (CL.TE) and (TE.CL) variants, the tool supports to scan one single URL or multiple URLs. And most importantly it has (–retry) option which means you can retry the same payload based on the retry value, which gives us an option to detect this vulnerability more accurately.


Needs to follow Security Consent before using this tool


It’s quite important to know some of the legal disclaimers before scanning any of the targets, you should have proper authorization before scanning any of the targets otherwise I suggest do not use this tool to scan an unauthorized target because to detect the vulnerability it sends multiple payloads for multiple times by using (–retry) option which means if something goes wrong then there is a possibility that backend socket might get poisoned with the payloads and any genuine visitors of that particular website might end up seeing the poisoned payload rather seeing the actual content of the website. So I’ll highly suggest taking proper precautions before scanning any of the target website otherwise you will face some legal issue.


How To Use This Tool?


To install this tool in your local machine you must have at least Python version 3.x otherwise socket will fail to established SSL connection with the target host.


Installation

git clone https://github.com/anshumanpattnaik/http-request-smuggling.git
cd http-request-smuggling
pip3 install -r requirements.txt

Options

usage: smuggle.py [-h] [-u URL] [-urls URLS] [-t TIMEOUT] [-m METHOD]
[-r RETRY]
HTTP Request Smuggling vulnerability detection tool
optional arguments:
-h, –help show this help message and exit
-u URL, –url URL set the target url
-urls URLS, –urls URLS set list of target urls, i.e (urls.txt)
-t TIMEOUT, –timeout TIMEOUT set socket timeout, default – 10
-m METHOD, –method METHOD set HTTP Methods, i.e (GET or POST), default – POST
-r RETRY, –retry RETRY set the retry count to re-execute the payload, default – 2

Example usage for using this tool


Scan one single URL

python3 smuggle.py -u [URL]

Scan list of URLs

python3 smuggle.py -urls [URLs.txt]

The detection payloads for both (CL.TE) and (TE.CL) are quite general and if you feel it requires to modify then you can update the payload in payloads.json file of detection array. Time-based HRS detection logic is not always accurate and to confirm the vulnerability I can suggest you to play with burp-suite turbo intruder by using your payloads.
I hope you will find it useful my HRS Detection tool if you have any suggestion or find any issues then feel free to raise an issue in my GitHub repository.
Thank you for reading this post and Happy Hacking 🙂