Analysis and Exploration of Vulnerabilities

HTTP Communication

HTTP is a standard Client-Server protocol.

  1. Client establishes a TCP connection with the server on port 80.

  2. Client sends a HTTP request over that TCP connection.

  3. Server replies.

    1. Sends a response.

    2. HTTP 1.0: Closes the connection.

    3. HTTP 1.1/2: May keep it persistent for some time.

Server only issues replies to requests.

  • It may never contact clients directly.

Actually, servers can contact clients directly with WebSockets.

  • Great for low latency asynchronous communications (e.g. VoIP, telemetry).

  • Nightmare for security!

Client upgrades connection to a WebSocket.

Any participant can send message.

  • No polling is required. Usually no log is done.

  • Client and server must know the message format.

Request

$ curl https://elearning.ua.pt -D - -v

GET / HTTP/1.1
HOST: elearning.ua.pt
User-Agent: curl/7.68.0
Accept: */*

Response

$ curl https://elearning.ua.pt -D - -v

HTTP/1.1 200 OK
Date: Thu, 12 Nov 2020 17:01:16 GMT
Server: Apache
Set-Cookie: MoodleSession=qvnej3ar6u28ndar312jhg1veh; path=/
Expires: Mon, 20 Aug 1969 09:23:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0, no-transform
Last-Modified: Thu, 12 Nov 2020 17:01:16 GMT
Accept-Ranges: none

Anything can be a client

$ echo -ne 'GET / HTTP/1.1\r\nHost: elearning.ua.pt\r\nUser-Agent: Android 10\r\n\r\n' | ncat --ssl elearning.ua.pt 443

HTTP/1.1 200 OK
Date: Thu, 12 Nov 2020 17:20:12 GMT
Server: Apache
Set-Cookie: MoodleSession=ooma3far88iqh9nvssn598nsuu; path=/
Expires: Mon, 20 Aug 1969 09:23:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0, no-transform
Last-Modified: Thu, 12 Nov 2020 17:20:12 GMT
Accept-Ranges: none

Many programs can communicate with HTTP servers.

  • A socket is all that is required.

Even Bash can do it.

$ exec 5<>/dev/tcp/193.136.173.58/80
$ echo -e "GET / HTTP/1.1\r\nHost: www.ua.pt\r\n\r\n" >&5
$ cat <&5

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Thu, 12 Nov 2020 17:26:58 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.ua.pt/

There is no client-side security model.

All parts of a request can be crafted.

  • HTTP Headers, Methods, URLs

  • POST content can be manipulated freely.

Control must reside in the server-side context.

  • Remember that developers are pushing content to the client?

There are no input validation processes in the server.

  • As long as the HTTP protocol is "generally" observed.

PreviousHTTP BasicsNextAuthentication

Last updated