This is a better rule, it says, from the start of the page name, any number of slashes followed by secret. What does the hex view look like?
As well as doing the app testing, the client also asked for a review of server config and as part of that they provided the lighttpd config, I was working through that when I spotted this line: Side by side the two requests look identical with the request going to secret.
The request URL is invalid. One page that looked very interesting was secret. I tried with various. I made a request for it and got the secret content: Once you know the rules it is often much easier to play the game and win. I also confirmed that all three are happy with with DOS or Unix line endings.
This prevents our original bypass as zero slashes is allowed as well as the later one where two or more slashes were used. I make a connection, copy the request from Repeater and Knowing this, I wanted to see if I could view the content with curl or in a browser.
This is the story of how I worked through two problems and found an interesting issue with lighttpd which resulted in an unexpected vulnerability. Next the curl command created by Burp: There were a few extra headers thrown in by Firefox but that is to be expected.
If you want to fix it with the rewrite rules, the easiest way to do it is to remove the leading slash from the regex: WAFs and other simple protection systems often reply on user agent checking so maybe it is that simple, lets try curl again removing both these extra headers: After converting it, lets try again: Wed, 18 Apr If not Firefox, can I see the content using curl?
This is annoying but I figure I can talk to the developers about it at some point and see if they have any ideas. Invalid HTTP requests and bypassing rewrite rules in lighttpd Mon 30th April 18 On a recent test of a web app hosted on a lighttpd server I came across a weird situation that had me scratching my head and using techniques I usually keep for network testing.
The first URL I tried was: If you are not a vim user, the unix2dos app from the dos2unix package is also an option. It helps to show that computers are determinsitic and there is a reason behind things, sometimes it just takes some work to find out what the rules are.
Fri, 20 Apr Sun, 22 Apr Burp is able to make the request as the page name is specified in the request but curl requires the page to be part of the URL.
One last solution would depend on the purpose of secret. First, the Burp request: There are a couple of differences, this request has the curl user agent and an extra accept header.Lighttpd: redirect any request to mi-centre.com Ask Question.
I want all requests to go to /mi-centre.com You said you wanted to prevent athis will do that. Browse other questions tagged http redirect rewrite lighttpd http-status-code or ask your own question.
asked. 7 years, 6 months ago. I would like to use lighttpd's mod_rewrite to allow requests without a specific file extension.
For instance, I would like the following mappings to automatically work: Requesting for "/index" would serve "/mi-centre.com". Lighttpd mod_rewrite and SSL.
Ask Question. mi-centre.come-once can be placed without conditional but it seems that it will not work all the time according to some forums. share | improve this answer.
answered Feb 10 '10 at Lighttpd and OpenCart GET requests with mod_rewrite.
0. Lighttpd mod_rewrite to Apache mod_rewrite. 2. We would like to show you a description here but the site won’t allow us. Redirect all http & https requests with lighttpd.
Ask Question. I would like to redirect all requests (http & https) to the PirateBox Uri, mi-centre.com I would expect the default port of 80 to be used for the redirect.
As a side note, the https request seems to time out like https traffic makes it to lighttpd.
– TheLukeMcCarthy Jun 3. Lighttpd localy serving FastCGI with forwarding all request to other sever at same time. Ask Question. Is there any way how to serve all requests on Lighttpd with local FastCGI lighttpd mod_rewrite vs. apache mod_rewrite with Django and FastCGI.