{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
This is a summary of the post https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers
Hop-by-hop headers are specific to a single transport-level connection, used primarily in HTTP/1.1 for managing data between two nodes (like client-proxy or proxy-proxy), and are not meant to be forwarded. Standard hop-by-hop headers include Keep-Alive
, Transfer-Encoding
, TE
, Connection
, Trailer
, Upgrade
, Proxy-Authorization
, and Proxy-Authenticate
, as defined in RFC 2616. Additional headers can be designated as hop-by-hop via the Connection
header.
Improper management of hop-by-hop headers by proxies can lead to security issues. While proxies are expected to remove these headers, not all do, creating potential vulnerabilities.
The handling of hop-by-hop headers can be tested by observing changes in server responses when specific headers are marked as hop-by-hop. Tools and scripts can automate this process, identifying how proxies manage these headers and potentially uncovering misconfigurations or proxy behaviors.
Abusing hop-by-hop headers can lead to various security implications. Below are a couple of examples demonstrating how these headers can be manipulated for potential attacks:
An attacker can manipulate the X-Forwarded-For
header to bypass IP-based access controls. This header is often used by proxies to track the originating IP address of a client. However, if a proxy treats this header as hop-by-hop and forwards it without proper validation, an attacker can spoof their IP address.
Attack Scenario:
- The attacker sends an HTTP request to a web application behind a proxy, including a fake IP address in the
X-Forwarded-For
header. - The attacker also includes the
Connection: close, X-Forwarded-For
header, prompting the proxy to treatX-Forwarded-For
as hop-by-hop. - The misconfigured proxy forwards the request to the web application without the spoofed
X-Forwarded-For
header. - The web application, not seeing the original
X-Forwarded-For
header, might consider the request as coming directly from a trusted proxy, potentially allowing unauthorized access.
If a cache server incorrectly caches content based on hop-by-hop headers, an attacker could inject malicious headers to poison the cache. This would serve incorrect or malicious content to users requesting the same resource.
Attack Scenario:
- An attacker sends a request to a web application with a hop-by-hop header that should not be cached (e.g.,
Connection: close, Cookie
). - The poorly configured cache server does not remove the hop-by-hop header and caches the response specific to the attacker's session.
- Future users requesting the same resource receive the cached response, which was tailored for the attacker, potentially leading to session hijacking or exposure of sensitive information.
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.