HTTP request smuggling
Hans Middelhoek
hans at middelhoek.nl
Wed Jun 30 20:49:53 UTC 2021
Hi Maxim,
Op 30-6-2021 om 21:17 schreef Maxim Dounin:
> Hello!
>
> On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote:
>
>> Thanks! That makes sense to me. I like to understand things a little
>> better and hope you can help with that:
>>
>> 1) Why is the result different when I disable keepalive in Nginx? After
>> disabling keepalive the second request isn't executed anymore.
> Because multiple requests in the same connection only work with
> keepalive. As long as keepalive is disabled, only the first
> request in the connection is processed. To make additional
> requests the client have to open additional connections.
Thank you! That should have been obvious.
>> 2) Do you know why Apache respond the same as Nginx with
>> keepalive disabled?
> Because keepalive is disabled on the Apache server you are testing
> against? As long as keepalive is enabled, the same requests work
> perfectly with Apache and return two responses as they should.
>
Keepalive is enabled in Apache. I enabled more verbose logging to find
the cause. Apache doesn't allow the first request and gives a 400 error,
error log:
(22)Invalid argument: [client xx.xx.xx.xx:xxxxx] AH01590: Error
reading/parsing chunk
I suppose the connection is closed directly because of the error and
therefore the second request isn't executed. I changed my test to
confirm that Apache will handle the 2 requests within the same connection:
POST / HTTP/1.1
Content-Length: 0
Foo: bar
Host: vulnerable-domain.com
GET /admin7 HTTP/1.1
X-Foo: k
That works. It looks like Apache is very picky in the processing of the
Transfer-Encoding header.
Thank you for your help!
Kind regards,
Hans
More information about the nginx
mailing list