--- name: pentest-hop-by-hop-headers description: Use this skill whenever testing web applications for HTTP header vulnerabilities, proxy misconfigurations, or when investigating hop-by-hop header handling issues. Trigger this skill for any pentesting task involving HTTP headers, X-Forwarded-For manipulation, cache poisoning, or proxy bypass techniques. Don't forget to use this skill when the user mentions headers, proxies, HTTP security testing, or web application penetration testing. --- # Hop-by-Hop Header Abuse Testing This skill helps you test for vulnerabilities related to HTTP hop-by-hop headers. These headers are meant to be removed by proxies but misconfigurations can lead to security issues like access control bypass and cache poisoning. ## What Are Hop-by-Hop Headers? Hop-by-hop headers are specific to a single transport-level connection and should not be forwarded by proxies. Standard hop-by-hop headers include: - `Keep-Alive` - `Transfer-Encoding` - `TE` - `Connection` - `Trailer` - `Upgrade` - `Proxy-Authorization` - `Proxy-Authenticate` Additional headers can be designated as hop-by-hop via the `Connection` header (e.g., `Connection: close, X-Custom-Header`). ## Why This Matters Proxies are expected to remove hop-by-hop headers before forwarding requests. When they don't, or when they incorrectly handle headers marked as hop-by-hop, attackers can: 1. **Bypass access controls** by manipulating headers like `X-Forwarded-For` 2. **Poison caches** by injecting session-specific content 3. **Spoof client identity** to appear as trusted sources ## Testing Methodology ### Step 1: Identify the Target Determine if the target uses proxies, load balancers, or caching layers. Look for: - Multiple `X-Forwarded-*` headers in responses - `Via` headers indicating proxy chains - Caching headers like `Cache-Control`, `ETag`, `Last-Modified` ### Step 2: Test Header Handling Use the provided scripts to test how the target handles hop-by-hop headers: ```bash # Test basic hop-by-hop header handling python scripts/test_hop_by_hop.py --url "https://target.com" --headers "X-Custom-Test" # Test X-Forwarded-For bypass python scripts/test_xff_bypass.py --url "https://target.com" --spoof-ip "10.0.0.1" ``` ### Step 3: Analyze Responses Compare responses with and without hop-by-hop header manipulation. Look for: - Different content based on header values - Access control changes - Cache behavior differences ## Attack Scenarios ### Scenario 1: X-Forwarded-For Bypass **Goal**: Bypass IP-based access controls by manipulating the `X-Forwarded-For` header. **How it works**: 1. Send a request with a spoofed IP in `X-Forwarded-For` 2. Add `Connection: close, X-Forwarded-For` to mark it as hop-by-hop 3. If the proxy forwards the request without the header, the backend may see the request as coming from a trusted proxy **Example request**: ``` GET /admin HTTP/1.1 Host: target.com Connection: close, X-Forwarded-For X-Forwarded-For: 10.0.0.1 ``` **What to look for**: - Access granted when it should be denied - Different response content based on spoofed IP - Backend treating the request as from a trusted source ### Scenario 2: Cache Poisoning **Goal**: Inject malicious content into a cache by exploiting hop-by-hop header handling. **How it works**: 1. Send a request with a header that should be hop-by-hop (e.g., `Cookie`) 2. Mark it as hop-by-hop via `Connection: close, Cookie` 3. If the cache incorrectly caches the response, other users receive your session-specific content **Example request**: ``` GET /api/user HTTP/1.1 Host: target.com Connection: close, Cookie Cookie: session=attacker-session-id ``` **What to look for**: - Cached responses containing session-specific data - Other users receiving your tailored content - Inconsistent responses for the same URL ### Scenario 3: Header Injection **Goal**: Inject custom headers that bypass security controls. **How it works**: 1. Identify a header the application trusts (e.g., `X-Is-Admin`, `X-Role`) 2. Mark it as hop-by-hop and inject a malicious value 3. If the proxy forwards it, the backend may grant elevated privileges **Example request**: ``` GET /api/data HTTP/1.1 Host: target.com Connection: close, X-Is-Admin X-Is-Admin: true ``` ## Practical Testing Commands ### Using curl ```bash # Test X-Forwarded-For bypass curl -v "https://target.com/admin" \ -H "Connection: close, X-Forwarded-For" \ -H "X-Forwarded-For: 10.0.0.1" # Test cache poisoning curl -v "https://target.com/api/user" \ -H "Connection: close, Cookie" \ -H "Cookie: session=test123" # Test custom header injection curl -v "https://target.com/api/data" \ -H "Connection: close, X-Is-Admin" \ -H "X-Is-Admin: true" ``` ### Using the Test Scripts ```bash # Run comprehensive hop-by-hop tests python scripts/test_hop_by_hop.py \ --url "https://target.com" \ --headers "X-Forwarded-For,X-Is-Admin,X-Role" \ --output results.json # Test specific bypass scenario python scripts/test_xff_bypass.py \ --url "https://target.com/admin" \ --spoof-ip "192.168.1.1" \ --trusted-range "10.0.0.0/8" ``` ## Interpreting Results ### Positive Indicators (Vulnerability Found) - Response changes when hop-by-hop headers are manipulated - Access control bypass successful - Cache contains session-specific content - Backend trusts injected header values ### Negative Indicators (No Vulnerability) - Consistent responses regardless of header manipulation - Proxies correctly strip hop-by-hop headers - Backend validates headers properly ## Reporting Findings When documenting hop-by-hop header vulnerabilities: 1. **Include the exact request** that triggered the vulnerability 2. **Show the response difference** between normal and manipulated requests 3. **Explain the impact** (e.g., "allows bypass of IP-based access control") 4. **Provide remediation** (e.g., "configure proxy to properly strip hop-by-hop headers") ## Common Misconfigurations - Proxies that don't strip headers listed in `Connection` - Caches that include hop-by-hop headers in cache keys - Backends that trust `X-Forwarded-*` headers without validation - Load balancers that forward all headers without filtering ## References - [RFC 2616 Section 13.5.1](https://tools.ietf.org/html/rfc2616#section-13.5.1) - Hop-by-hop headers - [Original Research](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - Abusing HTTP hop-by-hop request headers - [OWASP Header Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_for_HTTP_Parameter_Pollution) - Related testing guidance