Description
HTTP request smuggling is an attack technique that is conducted by interfering with the processing of requests between the frontend and backend servers. The attacker exploits the vulnerability by modifying the request to include another request in the first request’s body.
The severity of this issue depends on the system and the attack scenario, it can be used to bypass security controls, attack other users, etc..
Attack Scenario
During the attack basically, two HTTP headers are used:
- Content-Length Header: the size of the request body (in bytes).
- Transfer-Encoding Header: specified as chunked so that the request body will be sent in chunks (separated by newline). 0 is used to end a chunk.
To exploit HTTP request smuggling we need the following requirements :
- The front-end server forwards multiple requests to the back-end server over the same network connection.
- The back end doesn’t agree with the front end about where each message ends.
- The ambiguous request the attacker sends gets interpreted as two separate HTTP requests by the backend server
- The attacker prepares the second request for the sake of malicious activity that cannot be accomplished by the first request
To exploit HTTP request smuggling there are three different attack scenarios :
- CL.TE:
- The frontend server uses the
Content-Length
header and the backend server uses the Transfer-Encoding
header.
- TE.CL:
- The frontend server uses the
Transfer-Encoding
header and the backend server uses the Content-Length
header.
- TE.TE:
- The frontend and backend servers both support the
Transfer-Encoding
header, but one of the servers can be induced not to process it by obfuscating the header in some way.
An attacker may have the ability to do the following :
- Execute Unauthorized Commands
- Bypass security controls
- Gain unauthorized access to sensitive data
- Gain Privileges
- Session Hijacking
- Cache poisoning
Mitigation
- Use HTTP/2 for backend connections and disable HTTP downgrading if possible
- Use the same web server software for front-end and back-end server
- Prefer a WAF that has built-in mitigation to detect abnormal requests
- Making the frontend server realize ambiguous requests
- Making the backend server reject ambiguous requests and close the network connection
ID: 30008