-=[ The nncoection Response layout ]=- ====================================== Triosec , SecNiche Security This abstract covers the explanation of the connection specifier that is changed during processing of the HTTP request. It holds a versaitlity in the way the HTTP based connection strings are handled by intermediate devices.The problem starts with the undermentioned response that I encouneterd during pentest a web server: HTTP/1.1 200 OK\r\n Date: Tue, 05 Jul 2007 17:05:18 GMT\r\n Server: Server\r\n Vary: Accept-Encoding,User-Agent\r\n Content-Type: text/html; charset=ISO-8859-1\r\n nnCoection: close\r\n Transfer-Encoding: chunked\r\n I have noticed a peculiar thing ie the changing of connection string to nncoection. It seems to me that certain device placed in between have tempered the request parameters. -=[ Explanation ]=- ==================== The change of connection to nncoection is a trick used by the devices. This is something done by a hackish hardware load balancer trying to “remove” the connection close header when proxying for an internal server. That way, the connection can be held open and images can be transmitted through the same TCP connection, while the backend web server doesn’t need to be modified at all. It just closes the connection and moves on to the next request. The Example I adhere to is : send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1 =084307701560&SignatureVersion=1&Timestamp=2007-02-15T17%3A30%3A13 &Version=2007-01- 03&Signature= HTTP/1.1\r\nHost: ec2.amazonaws.com:443\r\nAccept- Encoding: identity\r\n\r\n' reply: 'HTTP/1.1 200 OK\r\n' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:13 GMT send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId =0CZQCKRS3J6 9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1& Timestamp=2007- 02-15T17%3A30%3A14&UserGroup.1=all&Version=2007-01-03&Signature= HTTP/1.1\r\nHost: ec2.amazonaws.com:443\r\nAccept-Encoding: identity\r\n\r\n' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:14 GMT header: nnCoection: close The nncoection strategy is used for missed connection. The chunked version indicates an apache flavor. I have noticed this many times and I think it web server used is Apache-Coyote 1.1. So the intermediate devices functions really strange to manage the incoming requests. ==== Zknk