Last updated
Was this helpful?
Last updated
Was this helpful?
Welcome to Web! I struggle everyday I face a new website, can you access /flag endpoint ?
Link: http://128.199.3.34:1235
Author: Kahla
The HAProxy configuration to protect the /flag
endpoint was case sensitive. Therefore, the following would be sufficient to bypass the validation.
Basically, an integer overflow leads to Content-Length0aaa...aaa:
being forwarded to the backend as Content-Length: 0
, while a second duplicate Content-Length
header is used by HAProxy to determine the length of the request body.
In the above example, HAProxy considers the following to be the first request:
while the second request is the following:
However, when forwarded to the backend, this becomes:
Therefore, the response for the second request will correspond to /flag
instead of /
.
Due to the way the pipelining works, we have to add some artificial delays when sending the consecutive requests.
From the server response headers, we know that HAProxy version 2.4.0 is used in front of an Express application. This version is vulnerable to a .
HAProxy HTTP Request Smuggling