cocoh-23
commented
1 year ago I am making a pull request, feel free to accept it or not.
Thank you again for this lab!
Closed cocoh-23 closed 1 year ago
cocoh-23
commented
1 year ago I am making a pull request, feel free to accept it or not.
Thank you again for this lab!
dhmosfunk
commented
1 year ago Fixed Pull request 2.
cocoh-23
commented
1 year ago Thank you @dhmosfunk. I have a question, have you tried to achieve Response Queue Poisoning with this behaviour? I leave you a nice link which i'll be trying in the next days. I believe this attack vector (https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning) could raise the impact of the vuln. if it's being hard to identify internal endpoints. Cheers
cocoh-23
commented
1 year ago Sorry, this is the link : https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning
dhmosfunk
commented
1 year ago Yeah, I think if we can manage to configure the reverse proxy in order to expect only one response per request maybe we can reproduce the HTTP response queue poisoning.
KeepAlive Off and MaxKeepAliveRequest 1Please create a new issue to discuss the topic of queue poisoning separately from the current closed issue.
Hey, great lab. Thanks for taking the time to make it. In my case, the IP you reference in the proxy configuration (httpd.conf) is not correct, and when I request /categories I receive a 503 Bad Gateway. I made a slight change which worked and I recommend it so it does not depend on the IP. You can change the IP for the name you use for the backend server, in the Dockerfile. Then, the httpd.conf file looks like this:
RewriteRule "^/categories/(.*)" "http://backend-server:8080/categories.php?id=$1" [P] ProxyPassReverse "/categories/" "http://backend-server:8080/"