Closed cocoh-23 closed 1 year ago
I am making a pull request, feel free to accept it or not.
Thank you again for this lab!
Fixed Pull request 2.
Thank you @dhmosfunk. I have a question, have you tried to achieve Response Queue Poisoning with this behaviour? I leave you a nice link which i'll be trying in the next days. I believe this attack vector (https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning) could raise the impact of the vuln. if it's being hard to identify internal endpoints. Cheers
Sorry, this is the link : https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning
Yeah, I think if we can manage to configure the reverse proxy in order to expect only one response per request maybe we can reproduce the HTTP response queue poisoning.
KeepAlive Off
and MaxKeepAliveRequest 1
Please create a new issue to discuss the topic of queue poisoning separately from the current closed issue.
Hey, great lab. Thanks for taking the time to make it. In my case, the IP you reference in the proxy configuration (httpd.conf) is not correct, and when I request /categories I receive a 503 Bad Gateway. I made a slight change which worked and I recommend it so it does not depend on the IP. You can change the IP for the name you use for the backend server, in the Dockerfile. Then, the httpd.conf file looks like this:
RewriteRule "^/categories/(.*)" "http://backend-server:8080/categories.php?id=$1" [P] ProxyPassReverse "/categories/" "http://backend-server:8080/"