{"id":16471127,"url":"https://github.com/rizemon/cs5331","last_synced_at":"2025-02-28T01:38:59.738Z","repository":{"id":245682024,"uuid":"618366301","full_name":"rizemon/CS5331","owner":"rizemon","description":"Vulnerable environment and PoC scripts to demonstrate possible impacts of HTTP request smuggling","archived":false,"fork":false,"pushed_at":"2023-04-25T14:59:04.000Z","size":17,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-10T22:18:29.810Z","etag":null,"topics":["cve-2021-40346","gunicorn","haproxy","http","requestsmuggling"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rizemon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-24T10:10:02.000Z","updated_at":"2023-10-09T13:04:34.000Z","dependencies_parsed_at":"2024-06-23T12:04:58.341Z","dependency_job_id":null,"html_url":"https://github.com/rizemon/CS5331","commit_stats":null,"previous_names":["rizemon/cs5331"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FCS5331","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FCS5331/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FCS5331/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FCS5331/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rizemon","download_url":"https://codeload.github.com/rizemon/CS5331/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241085586,"owners_count":19907258,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2021-40346","gunicorn","haproxy","http","requestsmuggling"],"created_at":"2024-10-11T12:12:42.064Z","updated_at":"2025-02-28T01:38:59.710Z","avatar_url":"https://github.com/rizemon.png","language":"Python","readme":"# CS5331\n\n\u003e A great place to start is the [Scenarios](#scenarios) section, followed by the [Demonstrating the exploits](#demonstrating-the-exploits) section.\n\n- [CS5331](#cs5331)\n  - [Network Setup](#network-setup)\n  - [Scenarios](#scenarios)\n    - [Bypassing access controls (`/protected`)](#bypassing-access-controls-protected)\n    - [Forcing open-directs onto other users (`/redirected`)](#forcing-open-directs-onto-other-users-redirected)\n    - [Forcing reflected XSS onto other users (`/reflected`)](#forcing-reflected-xss-onto-other-users-reflected)\n    - [Stealing user's session cookies (`/captured`)](#stealing-users-session-cookies-captured)\n  - [Relevant vulnerabilities](#relevant-vulnerabilities)\n  - [Directory Layout](#directory-layout)\n  - [Making Changes](#making-changes)\n  - [PoC Scripts](#poc-scripts)\n  - [Demonstrating the exploits](#demonstrating-the-exploits)\n    - [Bypassing access controls](#bypassing-access-controls)\n    - [Forcing open-directs onto other users](#forcing-open-directs-onto-other-users)\n    - [Forcing reflected XSS onto other users](#forcing-reflected-xss-onto-other-users)\n    - [Stealing user's session cookies](#stealing-users-session-cookies)\n\n\n## Network Setup\n\n```\n[ browser ] \u003c===\u003e [ proxy (HAProxy) ] \u003c===\u003e [ backend (Gunicorn) ]\n```\n\n## Scenarios\n\n### Bypassing access controls (`/protected`)\n\n* **Background**: `backend` has a `/protected` page that is not meant to be accessible by the web browser as the `proxy` maps `/protected` to `/unauthorized`. This means that requesting for `/protected` via the `proxy` will result in getting the contents of `/unauthorized` from the `backend`.\n\n* **Goal**: View the contents of `/protected` page.\n\n### Forcing open-directs onto other users (`/redirected`)\n\n* **Background**: `backend` has a `/redirected` page which has an `Open Redirect` vulnerability. It redirects the user based on the `Host` header of the request. This cannot be exploited for phishing-related acts on a victim as there is no way to override the `Host` header using normal means.\n\n* **Goal**: Force a victim to be redirected to an arbitrary URL.\n\n### Forcing reflected XSS onto other users (`/reflected`)\n\n* **Background**: `backend` has a `/reflected` page which has an `Reflected XSS` vulnerability. It prints the contents of the `User-Agent` header of the request. This cannot be exploited to execute Javascript payloads on the victim as there is no way to override the `User-Agent` header using normal means.\n\n* **Goal**: Force a victim to execute arbitrary Javascript code.\n\n### Stealing user's session cookies (`/captured`)\n\n* **Background**: `backend` has a `/captured` page that receives `content` from the body data of the request and stores it in an in-memory array, which can be viewed. \n\n* **Goal**: Force a victim's next request (containing a `FLAG` cookie) to be saved into the in-memory array.\n\n## Relevant vulnerabilities\n* Gunicorn (Apparently this was not assigned a CVE???): https://grenfeldt.dev/2021/04/01/gunicorn-20.0.4-request-smuggling/\n* HAProxy CVE-2021-40346: https://nvd.nist.gov/vuln/detail/CVE-2021-40346\n\n## Directory Layout\n\n* `./backend/*`: Contains files to build the `backend` container\n* `./proxy/*`: Contains files to build the `proxy` container\n* `./poc/*`: Contains scripts to run attacks\n\n## Making Changes\n\n1) Make code changes\n2) `docker-compose build`\n3) `docker-compose up`\n4) Repeat.\n\n## PoC Scripts\n* `poc1.py`: Exploits Gunicorn's vulnerability to poison the next user's request\n    * `poc1_redirect.py`: Exploits Gunicorn's vulnerability to force the user to be redirected to `http://www.example.com`.\n    * `poc1_xss.py`: Exploits Gunicorn's vulnerability to force the user's browser to execute `alert(document.domain)`.\n    * `poc1_capture.py`: Exploits Gunicorn's vulnerability to capture the next user's request and store it into the server's in-memory array\n* `poc2.py`: Exploits HAProxy's vulnerability to poison the next user's request\n    * `poc2_redirect.py`: Exploits HAProxy's vulnerability to force the user to be redirected to `http://www.example.com`.\n    * `poc2_xss.py`: Exploits HAProxy's vulnerability to force the user's browser to execute `alert(document.domain)`.\n    * `poc2_capture.py`: Exploits HAProxy's vulnerability to capture the next user's request and store it into the server's in-memory array\n\n## Demonstrating the exploits\n\n### Bypassing access controls\n\n1) Execute `python3 poc1.py`.\n2) **Within the next 30s**, browse to `http://localhost`.\n\n### Forcing open-directs onto other users\n\n1) Execute `python3 poc1_redirect.py`.\n2) **Within the next 30s**, browse to `http://localhost`.\n\n### Forcing reflected XSS onto other users\n\n1) Execute `python3 poc1_xss.py`.\n2) **Within the next 30s**, browse to `http://localhost`.\n\n### Stealing user's session cookies\n\n1) Execute `python3 poc1_capture.py`.\n2) **Within the next 30s**, execute the following:\n   ```bash\n   curl http://localhost/ -H \"Cookie: FLAG\"\n   ```\n3) Browse to `http://localhost/captured`.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frizemon%2Fcs5331","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frizemon%2Fcs5331","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frizemon%2Fcs5331/lists"}