| Name |
HTTP Request Smuggling |
|
| Likelyhood of attack |
Typical severity |
| Medium |
High |
|
| Summary |
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it. |
| Prerequisites |
An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server Differences in the way the two HTTP entities parse HTTP requests |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify HTTP parsing chain] Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc. |
- Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.
|
| 2 |
Experiment |
[Probe for vulnerable differences in HTTP parsing chain] Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers. |
- Create many consecutive requests to the server. Some of which must be malformed.
- Use a proxy tool to record the HTTP responses headers.
|
| 3 |
Exploit |
[Cache poisoning] The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability. |
- Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.
|
| 4 |
Exploit |
[Session Hijacking] The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management. |
- Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.
|
|
| Solutions | HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration. Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
| CWE-707 |
Improper Neutralization |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-220 |
An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions. |
|
| Taxonomy: WASC |
|
Entry ID
|
Entry Name
|
| 26 |
HTTP Request Smuggling |
|