diff --git a/src/network-services-pentesting/pentesting-web/special-http-headers.md b/src/network-services-pentesting/pentesting-web/special-http-headers.md index 7307e8db8dc..fb0f4b6f0b1 100644 --- a/src/network-services-pentesting/pentesting-web/special-http-headers.md +++ b/src/network-services-pentesting/pentesting-web/special-http-headers.md @@ -117,6 +117,52 @@ For more info about HTTP Request Smuggling check: - **`Content-Language`**: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language. - **`Content-Location`**: Indicates an alternate location for the returned data. +### Unsupported request-body encodings + +`Content-Encoding` is not only interesting in **responses**. Some products also inspect it on **requests** and will transparently decompress the body before authentication, routing, or application logic. This creates a useful attack surface when the server: + +- accepts **`POST`/`PUT`** bodies before authentication +- exposes a decompressor for values like **`gzip`** or **`deflate`** +- rejects unsupported encodings only under a secondary config flag, or forgets to reject them at all + +This can turn a single request into a **pre-auth parser/decompressor DoS** or, in the worst case, a memory-corruption sink. Test weird or unnecessary request-body encodings whenever the product does not actually need them. + +Minimal probe pattern: + +```http +POST / HTTP/1.1 +Host: target +Content-Encoding: deflate +Content-Length: 1 + +A +``` + +Notes: + +- The body may only need to be **non-empty**; sometimes it does **not** need to be valid compressed data. +- Prefer replaying this only in labs. Against production targets, first look for a **safe differential check**. + +### Safe differential detection using `identity` + +When a vendor fixes this class of bug by adding an **input-validation gate** before body processing, you can often fingerprint patch status safely without reaching the dangerous decompressor. A common pattern is: + +- **Patched**: any request with a body and a non-empty `Content-Encoding` is rejected with **`415 Unsupported Media Type`** +- **Vulnerable**: the same request is processed normally because the validation gate is missing + +Safe example: + +```http +POST / HTTP/1.1 +Host: target +Content-Encoding: identity +Content-Length: 1 + +A +``` + +If `identity` returns `415`, the product is likely enforcing a generic **"no encoded request bodies"** rule. If it accepts the request, review whether request decompression is reachable and whether `gzip`/`deflate` become dangerous. This is especially useful for managed file transfer products, admin portals, and appliances exposing web interfaces by default. + From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.**\ For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests: @@ -302,6 +348,9 @@ The headers reach the `exec` component unfiltered, resulting in remote command e ## References - [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/) +- [A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318](https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serv-u-cve-2026-28318) +- [Bishop Fox safe checker for CVE-2026-28318](https://github.com/BishopFox/CVE-2026-28318-check) +- [SolarWinds Serv-U 15.5.4 Hotfix 1 release notes](https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm) - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) - [https://web.dev/security-headers/](https://web.dev/security-headers/)