Dark Mode

Settings

Capec-33 Detail

HTTP Request Smuggling

Detailed Communications Software Likelihood: Medium Typical Severity: High

Parents: 220

Threats: T294

Description

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request- line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences.

Extended Description

A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls. This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 4.4.3 and section 4.2 and are related to ordering and precedence of these headers. [REF-38] Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages. This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents. This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise aback-end HTTP agentvia HTTP Request messages. HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.
External ID Source Link Description
CAPEC-33 capec https://capec.mitre.org/data/definitions/33.html
CWE-444 cwe http://cwe.mitre.org/data/definitions/444.html
26 WASC http://projects.webappsec.org/HTTP-Request-Smuggling HTTP Request Smuggling
REF-38 reference_from_CAPEC http://www.ietf.org/rfc/rfc2616.txt HTTP 1.1 Specification (RFC 2616), IETF RFC
REF-117 reference_from_CAPEC http://www.securiteam.com/securityreviews/5CP0L0AHPC.html HTTP Response Smuggling, Beyond Security
REF-617 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
REF-672 reference_from_CAPEC http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling Robert Auger, HTTP Request Smuggling, 2010--01, The Web Application Security Consortium
REF-673 reference_from_CAPEC https://www.neuralegion.com/blog/http-request-smuggling-hrs/ Dzevad Alibegovic, HTTP Request Smuggling: Complete Guide to Attack Types and Prevention, 2021--08---23, NeuraLegion
REF-674 reference_from_CAPEC https://cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling Busra Demir, A Pentester’s Guide to HTTP Request Smuggling, 2020--10---15, Cobalt
REF-678 reference_from_CAPEC https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/ Edi Kogan, Daniel Kerman, HTTP Desync Attacks in the Wild and How to Defend Against Them, 2019--10---29, Imperva
REF-681 reference_from_CAPEC https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn James Kettle, HTTP Desync Attacks: Request Smuggling Reborn, 2019--08---07, PortSwigger
REF-682 reference_from_CAPEC https://portswigger.net/web-security/request-smuggling HTTP request smuggling, PortSwigger
REF-683 reference_from_CAPEC https://portswigger.net/web-security/request-smuggling/finding Finding HTTP request smuggling vulnerabilities, PortSwigger
REF-684 reference_from_CAPEC https://portswigger.net/web-security/request-smuggling/exploiting Exploiting HTTP request smuggling vulnerabilities, PortSwigger
Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.
Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    Utilize various combinations of HTTP Headers within a single HTTP Request such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded requests or data in the body of the original request are unprocessed and treated as part of subsequent requests by the intended target HTTP agent. From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences. For CL;TE and TE;CL HTTP header combinations, the first HTTP agent, in the HTTP message path that receives the HTTP request, takes precedence or only processes one header but not the other, while the second/final HTTP agent processes the opposite header, allowing for embedded HTTP requests to be ignored and smuggled to the intended target HTTP agent. For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation (see Mitigations for details) of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP requests to be smuggled. .
    Construct a very large HTTP request using multiple Content-Length headers of various data lengths that can potentially cause subsequent requests to be ignored by an intermediary HTTP agent (firewall) and/or eventually parsed separately by the target HTTP agent (web server). Note that most modern HTTP infrastructure reject HTTP requests with multiple Content-Length headers.
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.
Exploit

  1. Perform HTTP Request Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
  1. An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.
  2. Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
  3. HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
  1. Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses.
Medium
Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.
Integrity Availability Authorization Access Control Confidentiality
Execute Unauthorized Commands Execute Unauthorized Commands Gain Privileges Gain Privileges Execute Unauthorized Commands
Modify Data Gain Privileges
  1. When using Haproxy 1.5.3 version as front-end proxy server with with Node.js version 14.13.1 or 12.19.0 as the back-end web server it is possible to use two same header fields for example: two Transfer-Encoding, Transfer-Encoding: chunked and Transfer-Encoding: chunked-false, to bypass Haproxy /flag URI restriction and receive the Haproxy flag value, since Node.js identifies the first header but ignores the second header. See also: CVE-2020-8287
  2. When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276
  3. Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer- Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0". See also: CVE-2005-2088

We use cookies to ensure you get the best experience on our website.