We covered Apache proxy servers including forward and reverse proxy servers. We covered the related modules such as mod_proxy and ProxyPass. We also covered CVE 2023 25690 where HTTP requested headers are injected with certain characters in order to pass more than one request and reveal certain content behind a reverse proxy. This was part of HackTheBox ApacheBlaze web challenge.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION

Step into the ApacheBlaze universe, a world of arcade clicky games. Rumor has it that by playing certain games, you have the chance to win a grand prize. However, before you can dive into the fun, you’ll need to crack a puzzle.

Video Highlights

Forward Proxy vs Reverse Proxy

The forward proxy is activated using the ProxyRequests directive. Because forward proxies allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.

reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the namespace of the reverse proxy. The reverse proxy then decides where to send those requests and returns the content as if it were itself the origin.

We used the below exploit to demosntrate Internal HTTP Request Smuggling via Header Injection

CVE 2023-25690

With The above exploit we can use certain characters such as  the \r\n\r  which will enable us to send the request directly to the reverse proxy.

The complete request URL can be:

/api/games/click_topia%20HTTP/1.1%0d%0aHost:%20dev.apacheblaze.local%0d%0a%0d%0aGET%20/

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles