We covered Apache proxy servers including forward and reverse proxy servers. We covered the related modules such as mod_proxy and ProxyPass. We also covered CVE 2023 25690 where HTTP requested headers are injected with certain characters in order to pass more than one request and reveal certain content behind a reverse proxy. This was part of HackTheBox ApacheBlaze web challenge.
The Complete Penetration Testing with BackBox Course
Step into the ApacheBlaze universe, a world of arcade clicky games. Rumor has it that by playing certain games, you have the chance to win a grand prize. However, before you can dive into the fun, you’ll need to crack a puzzle.
Video Highlights
Forward Proxy vs Reverse Proxy
The forward proxy is activated using the ProxyRequests
directive. Because forward proxies allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.
A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the namespace of the reverse proxy. The reverse proxy then decides where to send those requests and returns the content as if it were itself the origin.
We used the below exploit to demosntrate Internal HTTP Request Smuggling via Header Injection
With The above exploit we can use certain characters such as the \r\n\r
which will enable us to send the request directly to the reverse proxy.
The complete request URL can be:
/api/games/click_topia%20HTTP/1.1%0d%0aHost:%20dev.apacheblaze.local%0d%0a%0d%0aGET%20/
Video Walkthrough