From 863b34296b6cbb6cac767fc92ea7b82de741123a Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 12 Jul 2025 01:40:49 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/pentesting-web/http-request-sm... --- .../reversing-native-libraries.md | 8 +- .../ios-pentesting-without-jailbreak.md | 2 +- .../request-smuggling-in-http-2-downgrades.md | 95 ++++++++++++++++++- .../sql-injection/ms-access-sql-injection.md | 4 +- 4 files changed, 100 insertions(+), 9 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 03213da5080..ea060841d8a 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -61,7 +61,7 @@ Java.perform(function () { }); }); ``` -Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0 +Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. --- @@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) | Year | CVE | Affected library | Notes | |------|-----|------------------|-------| -|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0| +|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| | |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant. @@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their ### References -- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) citeturn5search0 -- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0 +- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) +- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 004d7bf0e0e..791da2761f0 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md index 5db95291433..5fd8e2d6218 100644 --- a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md +++ b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md @@ -2,9 +2,100 @@ {{#include ../../banners/hacktricks-training.md}} -**Check the post [https://portswigger.net/research/http-2-downgrades](https://portswigger.net/research/http-2-downgrades)** +HTTP/2 is generally considered immune to classic request-smuggling because the length of each DATA frame is explicit. **That protection disappears as soon as a front-end proxy “downgrades” the request to HTTP/1.x before forwarding it to a back-end**. The moment two different parsers (the HTTP/2 front-end and the HTTP/1 back-end) try to agree on where one request ends and the next begins, all the old desync tricks come back – plus a few new ones. -{{#include ../../banners/hacktricks-training.md}} +--- +## Why downgrades happen + +1. Browsers already speak HTTP/2, but much legacy origin infrastructure still only understands HTTP/1.1. +2. Reverse-proxies (CDNs, WAFs, load-balancers) therefore terminate TLS + HTTP/2 at the edge and **rewrite every request as HTTP/1.1** for the origin. +3. The translation step has to create *both* `Content-Length` **and/or** `Transfer-Encoding: chunked` headers so that the origin can determine body length. + +Whenever the front-end trusts the HTTP/2 frame length **but** the back-end trusts CL or TE, an attacker can force them to disagree. + +--- +## Two dominant primitive classes + +| Variant | Front-end length | Back-end length | Typical payload | +|---------|-----------------|-----------------|-----------------| +| **H2.TE** | HTTP/2 frame | `Transfer-Encoding: chunked` | Embed an extra chunked message body whose final `0\r\n\r\n` is *not* sent, so the back-end waits for the attacker-supplied “next” request. | +| **H2.CL** | HTTP/2 frame | `Content-Length` | Send a *smaller* CL than the real body, so the back-end reads past the boundary into the following request. | + +> These are identical in spirit to classic TE.CL / CL.TE, just with HTTP/2 replacing one of the parsers. + +--- +## Identifying a downgrade chain + +1. Use **ALPN** in a TLS handshake (`openssl s_client -alpn h2 -connect host:443`) or **curl**: + ```bash + curl -v --http2 https://target + ``` + If `* Using HTTP2` appears, the edge speaks H2. +2. Send a deliberately malformed CL/TE request *over* HTTP/2 (Burp Repeater now has a dropdown to force HTTP/2). If the response is an HTTP/1.1 error such as `400 Bad chunk`, you have proof the edge converted the traffic for a HTTP/1 parser downstream. + +--- +## Exploitation workflow (H2.TE example) + +```http +:method: POST +:path: /login +:scheme: https +:authority: example.com +content-length: 13 # ignored by the edge +transfer-encoding: chunked + +5;ext=1\r\nHELLO\r\n +0\r\n\r\nGET /admin HTTP/1.1\r\nHost: internal\r\nX: X +``` +1. The **front-end** reads exactly 13 bytes (`HELLO\r\n0\r\n\r\nGE`), thinks the request is finished and forwards that much to the origin. +2. The **back-end** trusts the TE header, keeps reading until it sees the *second* `0\r\n\r\n`, thereby consuming the prefix of the attacker’s second request (`GET /admin …`). +3. The remainder (`GET /admin …`) is treated as a *new* request queued behind the victim’s. + +Replace the smuggled request with: +* `POST /api/logout` to force session fixation +* `GET /users/1234` to steal a victim-specific resource +--- +## h2c smuggling (clear-text upgrades) +A 2023 study showed that if a front-end passes the HTTP/1.1 `Upgrade: h2c` header to a back-end that supports clear-text HTTP/2, an attacker can tunnel *raw* HTTP/2 frames through an edge that only validated HTTP/1.1. This bypasses header normalisation, WAF rules and even TLS termination. +Key requirements: +* Edge forwards **both** `Connection: Upgrade` and `Upgrade: h2c` unchanged. +* Origin increments to HTTP/2 and keeps the connection-reuse semantics that enable request queueing. + +Mitigation is simple – strip or hard-code the `Upgrade` header at the edge except for WebSockets. + +--- +## Notable real-world CVEs (2022-2025) + +* **CVE-2023-25690** – Apache HTTP Server mod_proxy rewrite rules could be chained for request splitting and smuggling. (fixed in 2.4.56) +* **CVE-2023-25950** – HAProxy 2.7/2.6 request/response smuggling when HTX parser mishandled pipelined requests. +* **CVE-2022-41721** – Go `MaxBytesHandler` caused left-over body bytes to be parsed as **HTTP/2** frames, enabling cross-protocol smuggling. + +--- +## Tooling + +* **Burp Request Smuggler** – since v1.26 it automatically tests H2.TE/H2.CL and hidden ALPN support. Enable “HTTP/2 probing” in the extension options. +* **h2cSmuggler** – Python PoC by Bishop Fox to automate the clear-text upgrade attack: + ```bash + python3 h2csmuggler.py -u https://target -x 'GET /admin HTTP/1.1\r\nHost: target\r\n\r\n' + ``` +* **curl**/`hyper` – crafting manual payloads: `curl --http2-prior-knowledge -X POST --data-binary @payload.raw https://target`. + +--- +## Defensive measures + +1. **End-to-end HTTP/2** – eliminate the downgrade translation completely. +2. **Single source of length truth** – when downgrading, *always* generate a valid `Content-Length` **and** **strip** any user-supplied `Content-Length`/`Transfer-Encoding` headers. +3. **Normalize before route** – apply header-sanitisation *before* routing/rewrite logic. +4. **Connection isolation** – do not reuse back-end TCP connections across users; “one request per connection” defeats queue-based exploits. +5. **Strip `Upgrade` unless WebSocket** – prevents h2c tunnelling. + +--- +## References + +* PortSwigger Research – “HTTP/2: The Sequel is Always Worse” +* Bishop Fox – “h2c Smuggling: request smuggling via HTTP/2 clear-text” + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md index 913a7a03f98..5b9778a7ad4 100644 --- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md +++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md @@ -141,7 +141,7 @@ Point the UNC path to: * a host that drops the TCP handshake after `SYN-ACK` * a firewall sinkhole -The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0 +The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. ### Other Interesting functions @@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps): * Block outbound SMB/WebDAV at the network boundary. * Sanitize / parameterise any part of a query that may end up inside an `IN` clause. -The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0 +The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. ### .mdb Password Cracker