Day 54/100 Hack and Improvement

1 minute read

Day 54 comes with testing for Subdomain Takeover on Microsoft Azure and simply explaining “TE-CL” HTTP Request Smuggling attack.

Testing for Subdomain Takeover on Microsoft Azure

From Rajesh Ranjan. So today I was testing an application and came across a subdomain which was pointed to Microsoft azure and the response was: nmap scan

So I got excite that, there is possibility of Subdomain takeover here cause its 404.. But WAIT!!! I check few blog posts, and here I found one of very interesting one, in which the researcher has described that, If you want to check the subdomain takeover on Microsoft azure, then you have to run the following command

dig -t A DOMAIN_TO_CHECK

Is the response status NXDOMAIN? If yes, great, the takeover might be possible. Note that receiving 404 HTTP error does not mean the subdomain takeover is possible at all Later I confirmed the same with my Friend Aishwarya Kendle. You can checkout his amazing writeup here in which he explained how he was able to hijack 26+ subdomains.

Lesson learned: 404 response on Microsoft Azure doesn’t means that, subdomain takeover is possible at all

Writeups about Azure subdomain Takeover

  1. https://0xpatrik.com/subdomain-takeover-starbucks/
  2. https://blog.cystack.net/subdomain-takeover-chapter-two-azure-services/

HTTP Smuggling Simple Analysis

From Sam (CoffeeJunkie). Since I saw couple reports from defparam related to http smuggling, my mind kept on going the attack surface and how this can achievable and escalated it to more vulnerabilitites. Here I’ll share some information related to it.

The information has been gathered from this article.

During different kind of HTTP requests whether it as has a GET or POST request, there is something to look for which is the Transfer-Encoding: which might appear as chuncked. This depends on how the server of the web application handles the transfer encoding in the backend, but in order to understand that it might be necessary to check the source code to see if the server treats Transfer-Encodingheader value differently (whole string match vs substring match) which creates a possibility for a “TE-CL” HTTP Request Smuggling attack.

As an example of a HTTP request with this attack would be:

GET /z HTTP/1.1
Host: 127.0.0.1:8080
Transfer-Encoding: chunkedasd # Triggering the bug here 
Content-Length: 4
 
2c # Content Value 
GET /flag HTTP/1.1 # Smuggled request 
Host: 127.0.0.1:8000
 
 
0 # Content Value 
 
GET / HTTP/1.1 # Dummy request for alignment
Host: 127.0.0.1:8080

Leave a comment