hop-by-hop headers

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

This is a summary of the post https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

Hop-by-hop headers are specific to a single transport-level connection, used primarily in HTTP/1.1 for managing data between two nodes (like client-proxy or proxy-proxy), and are not meant to be forwarded. Standard hop-by-hop headers include Keep-Alive, Transfer-Encoding, TE, Connection, Trailer, Upgrade, Proxy-Authorization, and Proxy-Authenticate, as defined in RFC 2616. Additional headers can be designated as hop-by-hop via the Connection header.

Abusing Hop-by-Hop Headers

Improper management of hop-by-hop headers by proxies can lead to security issues. While proxies are expected to remove these headers, not all do, creating potential vulnerabilities.

Testing for Hop-by-Hop Header Handling

The handling of hop-by-hop headers can be tested by observing changes in server responses when specific headers are marked as hop-by-hop. Tools and scripts can automate this process, identifying how proxies manage these headers and potentially uncovering misconfigurations or proxy behaviors.

Abusing hop-by-hop headers can lead to various security implications. Below are a couple of examples demonstrating how these headers can be manipulated for potential attacks:

Bypassing Security Controls with X-Forwarded-For

An attacker can manipulate the X-Forwarded-For header to bypass IP-based access controls. This header is often used by proxies to track the originating IP address of a client. However, if a proxy treats this header as hop-by-hop and forwards it without proper validation, an attacker can spoof their IP address.

Attack Scenario:

  1. The attacker sends an HTTP request to a web application behind a proxy, including a fake IP address in the X-Forwarded-For header.

  2. The attacker also includes the Connection: close, X-Forwarded-For header, prompting the proxy to treat X-Forwarded-For as hop-by-hop.

  3. The misconfigured proxy forwards the request to the web application without the spoofed X-Forwarded-For header.

  4. The web application, not seeing the original X-Forwarded-For header, might consider the request as coming directly from a trusted proxy, potentially allowing unauthorized access.

Cache Poisoning via Hop-by-Hop Header Injection

If a cache server incorrectly caches content based on hop-by-hop headers, an attacker could inject malicious headers to poison the cache. This would serve incorrect or malicious content to users requesting the same resource.

Attack Scenario:

  1. An attacker sends a request to a web application with a hop-by-hop header that should not be cached (e.g., Connection: close, Cookie).

  2. The poorly configured cache server does not remove the hop-by-hop header and caches the response specific to the attacker's session.

  3. Future users requesting the same resource receive the cached response, which was tailored for the attacker, potentially leading to session hijacking or exposure of sensitive information.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Last updated