Skip to content

Haproxy and Nuster

GrrrDog edited this page Jan 9, 2019 · 7 revisions

Basics

  • case-insensitive for verb
  • allows any path/query values (except 0x00-0x20, >0x80):
    • GET !i?lala=#anything HTTP/1.1
  • doesn't url-decode and normalize the path before applying rules
  • support converters:
    • url_dec - url decodes (but sends undecoded to origin server), but spoils path_begin
  • path_* extracts the path, which starts at the first slash and ends before the first question mark
  • allows >1 Host:
    • forwards all of them
  • doesn't forward AnyHeader : - 400 error
  • support line folding for headers ( Header:zzz-> concatenate with previous header)
  • no additional headers to backend

Fingerprint

  • no special headers
  • 400 error:
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
  • 403 error:
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

Absolute-URI

  • doesn't support (parse) Absolute-URI
  • forwards it as is
    • GET http://backend.com/q?name=X&type=Y HTTP/1.1 -> GET http://backend.com/q?name=X&type=Y HTTP/1.1

Caching

Cache's been partly implemented in this version of HAproxy. It was not tested. Nuster was tested instead

  • default key of CACHE: method.scheme.host.uri
  • default key of NoSQL: GET.scheme.host.uri
    • http://www.example.com/q?name=X&type=Y -> GET.http.www.example.com./q?name=X&type=Y
  • only 200 response is cached
  • doesn't respect Cache-Control, Expire headers from the origin
  • Does not honor the Pragma and the client's Cache-Control

Vulnerable configs

  • Bypass //admin/ /Admin/ /%61dmin/
acl restricted_page path_beg /admin
  • Bypass /log/ - any trailing symbol (e.g. /)
acl restricted_page path_beg,url_dec  /log
Clone this wiki locally