Day 54 comes with testing for Subdomain Takeover on Microsoft Azure and simply explaining “TE-CL” HTTP Request Smuggling attack.
Testing for Subdomain Takeover on Microsoft Azure
From Rajesh Ranjan. So today I was testing an application and came across a subdomain which was pointed to Microsoft azure and the response was:
So I got excite that, there is possibility of Subdomain takeover here cause its 404.. But WAIT!!! I check few blog posts, and here I found one of very interesting one, in which the researcher has described that, If you want to check the subdomain takeover on Microsoft azure, then you have to run the following command
dig -t A DOMAIN_TO_CHECK
Is the response status NXDOMAIN? If yes, great, the takeover might be possible. Note that receiving 404 HTTP error does not mean the subdomain takeover is possible at all Later I confirmed the same with my Friend Aishwarya Kendle. You can checkout his amazing writeup here in which he explained how he was able to hijack 26+ subdomains.
Lesson learned: 404 response on Microsoft Azure doesn’t means that, subdomain takeover is possible at all
Writeups about Azure subdomain Takeover
HTTP Smuggling Simple Analysis
From Sam (CoffeeJunkie). Since I saw couple reports from defparam related to http smuggling, my mind kept on going the attack surface and how this can achievable and escalated it to more vulnerabilitites. Here I’ll share some information related to it.
The information has been gathered from this article.
During different kind of HTTP requests whether it as has a GET or POST request, there is something to look for which is the
Transfer-Encoding: which might appear as
chuncked. This depends on how the server of the web application handles the transfer encoding in the backend, but in order to understand that it might be necessary to check the source code to see if the server treats
Transfer-Encodingheader value differently (whole string match vs substring match) which creates a possibility for a “TE-CL” HTTP Request Smuggling attack.
As an example of a HTTP request with this attack would be:
GET /z HTTP/1.1 Host: 127.0.0.1:8080 Transfer-Encoding: chunkedasd # Triggering the bug here Content-Length: 4 2c # Content Value GET /flag HTTP/1.1 # Smuggled request Host: 127.0.0.1:8000 0 # Content Value GET / HTTP/1.1 # Dummy request for alignment Host: 127.0.0.1:8080