1

I set up the following lab using HAProxy and Gunicorn.

enter image description here

Both "Smuggler.py" tool and "HTTP Request Smuggler" BurpSuite extension detected CL.TE vulnerability.

I checked it manually by sending below request:

enter image description here

Here is the request in HAProxy:

enter image description here

and, this is the request in Gunicorn (processed as two requests):

enter image description here

enter image description here

So based on this behavior, it seems vulnerability exists.

Now, here is the question:

While there is no request remaining in HAProxy or even Gunicorn, how the next user request will be appended to it and HRS will be exploited??

schroeder
  • 123,438
  • 55
  • 284
  • 319
mehran_2020
  • 11
  • 2

1 Answers1

0

The exploit is, that you can smuggle the second request ("/bye" in your example) past the first machine without ever handling it. There is no further request required.

Your scenario might not be a good fit for this exploit, because your firewall actually seems to be the second machine in the chain.

Consider having no load-balancer, and the firewall being the first machine, which would be considered vulnerable for this scenario. With this, any deep packet-inspection feature of the firewall (on the first, vulnerable machine) might fail to do it's duty, since it would not see the offending packet as such.

Now, the offending packet can hit the next machine without being discarded by the firewall.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • Firstly, There is no Firewall in this setup. I just stop CentOS Firewall because of Gunicorn service. As you said, I smuggled another request (GET /bye HTTP/1.1) and the response is sent back to me, but what about other users?? How they can be affected in action?? – mehran_2020 Dec 22 '21 at 08:51