Dark Mode

Settings

Capec-105 Detail

HTTP Request Splitting

Detailed Communications Software Likelihood: Medium Typical Severity: High

Parents: 220

Threats: T294

Description

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences.

Extended Description

This entails the adversary injecting malicious user input into various standard and/or user defined HTTP headers within a HTTP Request through user input of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters and unique character encoding. This malicious user input allows for web script to be injected in HTTP headers as well as into browser cookies or Ajax web/browser object parameters like XMLHttpRequest during implementation of asynchronous requests. This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path. This differs from CAPEC-34 HTTP Response Splitting, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Splitting is an attempt to compromise aback-end HTTP agentvia HTTP Request messages. HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.
External ID Source Link Description
CAPEC-105 capec https://capec.mitre.org/data/definitions/105.html
CWE-74 cwe http://cwe.mitre.org/data/definitions/74.html
CWE-113 cwe http://cwe.mitre.org/data/definitions/113.html
CWE-138 cwe http://cwe.mitre.org/data/definitions/138.html
CWE-436 cwe http://cwe.mitre.org/data/definitions/436.html
24 WASC http://projects.webappsec.org/HTTP-Request-Splitting HTTP Request Splitting
REF-117 reference_from_CAPEC http://www.securiteam.com/securityreviews/5CP0L0AHPC.html HTTP Response Smuggling, Beyond Security
REF-617 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
REF-679 reference_from_CAPEC http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting Robert Auger, HTTP Request Splitting, 2011, The Web Application Security Consortium
Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.
Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests with custom strings and embedded web scripts and objects in HTTP headers to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed: additional HTTP Requests with their own headers malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest) adversary chosen encoding (e.g., UTF-7) to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent. Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.
Exploit

  1. Perform HTTP Request Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
  1. An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.
  2. Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
  3. HTTP headers capable of being user-manipulated.
  4. HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
  1. Tools capable of crafting malicious HTTP messages and monitoring HTTP messages responses.
Medium
Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.
Integrity Availability Authorization Access Control Confidentiality
Execute Unauthorized Commands Execute Unauthorized Commands Gain Privileges Gain Privileges Execute Unauthorized Commands
Modify Data Gain Privileges
Read Data
  1. Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote adversary to conduct HTTP request splitting and smuggling attacks. The vulnerability is due to an input validation error in the browser that allows adversaries to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the adversary to bypass web application firewalls or other filtering devices. Microsoft has confirmed the vulnerability and released software updates.

We use cookies to ensure you get the best experience on our website.