Skip to content

zbo14/desync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
bin
bin
 
 
lib
lib
 
 
.eslintrc
.eslintrc
 
 
.gitignore
.gitignore
 
 
.npmrc
.npmrc
 
 
.nvmrc
.nvmrc
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

desync

A CLI tool to detect and confirm HTTP/S desync vulnerabilities.

Note: this tool is meant for personal research and testing purposes.

Overview

This tool was inspired by this post on HTTP desync attacks. Often times, a frontend server handles a web request before sending it to a backend server. Desync vulnerabilities arise when the frontend and backend servers disagree on request body lengths/boundaries and, as a result, process different requests.

This tool sends specially-crafted HTTP/S requests with Content-Length and Transfer-Encoding headers. Suppose the frontend reads one header (e.g. Content-Length) and the backend reads the other (Transfer-Encoding). The request is structured such that the backend will never receive what it believes to be the entire request body, so we should time out waiting for a response. This is how we detect a smuggling vulnerability, in this case a CL.TE vulnerability since the frontend read the Content-Length and the backend read the Transfer-Encoding header.

The next step is to confirm the vulnerability. Instead of forcing a timeout, we'll try to smuggle a request for a nonexistent endpoint to the backend. If the backend processes the smuggled request, it should respond with a 404 or redirect.

Usage

$ [code=<integer>] [verbose=true] desync <url>

Examples

The following example detects and confirms a CL.TE vulnerability at "foobar.com".

$ desync https://foobar.com
clte: Detected!
clte: Confirmed!
Done!

You can enable verbose mode to see why a vulnerability wasn't detected.

$ verbose=true desync https://foobar.com
tecl: Expected timeout, got response with status code 200
clte: Detected!
clte: Confirmed!
Done!

Sometimes during the confirm step, a web server will respond to the smuggled request with a non-404 status code (e.g. 302 redirect). You can specify the expected status code as follows.

$ code=302 desync https://foobaz.com
clte: Detected!
clte: Confirmed!
Done!

Contributing

Please do!

If you find a bug, want to add a feature/enhancement, or have a question, feel free to open an issue. You're also welcome to create a pull request addressing an issue. You should push your changes to a feature branch and request merge to develop.

About

Detect and confirm HTTP/S desync vulnerabilities

zbo14.github.io/2020/01/07/Detect-and-confirm-desync-vulnerabilities.html

Topics

http https desync request-smuggling

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages