mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
27 lines
1.4 KiB
Markdown
27 lines
1.4 KiB
Markdown
# GoLang HTTP CONNECT Method
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## CONNECT method
|
|
|
|
In the Go programming language, a common practice when handling HTTP requests, specifically using the `net/http` library, is the automatic conversion of the request path into a standardized format. This process involves:
|
|
|
|
- Paths ending with a slash (`/`) like `/flag/` are redirected to their non-slash counterpart, `/flag`.
|
|
- Paths containing directory traversal sequences such as `/../flag` are simplified and redirected to `/flag`.
|
|
- Paths with a trailing period as in `/flag/.` are also redirected to the clean path `/flag`.
|
|
|
|
However, an exception is observed with the use of the `CONNECT` method. Unlike other HTTP methods, `CONNECT` does not trigger the path normalization process. This behavior opens a potential avenue for accessing protected resources. By employing the `CONNECT` method alongside the `--path-as-is` option in `curl`, one can bypass the standard path normalization and potentially reach restricted areas.
|
|
|
|
The following command demonstrates how to exploit this behavior:
|
|
|
|
```bash
|
|
curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag
|
|
```
|
|
|
|
[https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go\#L2354-L2364](https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go#L2354-L2364)
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
|
|
|