hop-by-hop headers
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
This is a summary of the post https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers
Hop-by-hop headers are specific to a single transport-level connection, used primarily in HTTP/1.1 for managing data between two nodes (like client-proxy or proxy-proxy), and are not meant to be forwarded. Standard hop-by-hop headers include Keep-Alive
, Transfer-Encoding
, TE
, Connection
, Trailer
, Upgrade
, Proxy-Authorization
, and Proxy-Authenticate
, as defined in RFC 2616. Additional headers can be designated as hop-by-hop via the Connection
header.
Improper management of hop-by-hop headers by proxies can lead to security issues. While proxies are expected to remove these headers, not all do, creating potential vulnerabilities.
The handling of hop-by-hop headers can be tested by observing changes in server responses when specific headers are marked as hop-by-hop. Tools and scripts can automate this process, identifying how proxies manage these headers and potentially uncovering misconfigurations or proxy behaviors.
Abusing hop-by-hop headers can lead to various security implications. Below are a couple of examples demonstrating how these headers can be manipulated for potential attacks:
X-Forwarded-For
An attacker can manipulate the X-Forwarded-For
header to bypass IP-based access controls. This header is often used by proxies to track the originating IP address of a client. However, if a proxy treats this header as hop-by-hop and forwards it without proper validation, an attacker can spoof their IP address.
Attack Scenario:
The attacker sends an HTTP request to a web application behind a proxy, including a fake IP address in the X-Forwarded-For
header.
The attacker also includes the Connection: close, X-Forwarded-For
header, prompting the proxy to treat X-Forwarded-For
as hop-by-hop.
The misconfigured proxy forwards the request to the web application without the spoofed X-Forwarded-For
header.
The web application, not seeing the original X-Forwarded-For
header, might consider the request as coming directly from a trusted proxy, potentially allowing unauthorized access.
If a cache server incorrectly caches content based on hop-by-hop headers, an attacker could inject malicious headers to poison the cache. This would serve incorrect or malicious content to users requesting the same resource.
Attack Scenario:
An attacker sends a request to a web application with a hop-by-hop header that should not be cached (e.g., Connection: close, Cookie
).
The poorly configured cache server does not remove the hop-by-hop header and caches the response specific to the attacker's session.
Future users requesting the same resource receive the cached response, which was tailored for the attacker, potentially leading to session hijacking or exposure of sensitive information.
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)