Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

hardikmodha/POC-CVE-2023-32681

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
proxy
proxy
 
 
script
script
 
 
server
server
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.work
go.work
 
 

Repository files navigation

POC for CVE-2023-32681

This is a Python 3 implementation of CVE-2023-32681, affecting clients using the requests version <= 2.30.0.

As per https://www.rfc-editor.org/rfc/rfc9110.html#section-15.4 whenever redirection 3xx is issued by the server then user-agent should modify the request to remove certain headers and fields from the request.

Details of those fields can be found at https://www.rfc-editor.org/rfc/rfc9110.html#section-15.4-5. Specific to this CVE I've highlighted the relevant part here.

image

requests version <= 2.30.0 didn't remove the "Proxy-Authorization" headers while handling the redirection to "https" and thus leaking the proxy credentials to the redirected server.

More details for the same can be found at

Pre-requisites

  • Valid set of certificate for the HTTP(S) server. You can use mkcert to generate the certificates locally.
  • Go v1.19
  • Python 3.x
  • virtualenv (Optional)

Overview

  1. Proxy server implementation in Go. It starts a proxy server on Port 8080 and requires a basic authentication. For the POC purpose, it has the hardcoded username and password defined in the same file.
  2. HTTP(S) server implementation in Go. It starts 2 servers.
    • Redirection server listening on Port 443 and another echo server listening on Port 4431.
    • Redirection server defines a route /redirect that redirects the traffic to second server running on 4431.
    • Echo server defines a route /echoHeaders. This route returns the headers it received in the request to the client.
  3. POC Python script. It issues a proxied request to redirection server running on port 443 and prints the response that server returns.
  4. If the response contains the Proxy-Authorization headers then the requests version is said to be vulnerable to "CVE-2023-32681".

Steps

  1. Clone this repository.
  2. Update the certFile and keyFile variables in server/main.go.
  3. Start the HTTP(S) servers by running command go run server/main.go. This will start two servers listening on port 443 and 4431.
  4. Start the Proxy server by running command go run proxy/main.go. This will start the proxy server on port 8080.
  5. Install dependencies to run the Python script pip3 install -r script/requirements_request_2_30_0.txt
  6. Execute the POC script by running python3 script/poc.py and observe the output. You can see that "Proxy-Authorization" header is returned by the server in the response. Server also prints the received headers in the logs.
  7. Now, upgrade the requests version to >= 2.31.0 or do pip3 install -r script/requirements_request_2_31_0.txt
  8. Again execute the POC script by running python3 script/poc.py and observe the output. You can see that "Proxy-Authorization" header is now not present in the server response. Same can also be verified in the server logs.

Screenshots

Proxy server

proxy_server_logs

requests==2.30.0

requests_2_30_0_script_output requests_2_30_0_server_output

requests==2.31.0

requests_2_31_0_script_output requests_2_31_0_server_output

About

POC for the CVE-2023-32681

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages