CAPEC - CAPEC-33: HTTP Request Smuggling (Release 1.4)

Home > CAPEC List > CAPEC-33: HTTP Request Smuggling (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-33: HTTP Request Smuggling

HTTP Request Smuggling

Attack Pattern ID: 33 (Detailed Attack Pattern Completeness: Complete)

Typical Severity: High

Status: Draft

Description

Summary

HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Attack Execution Flow

Explore

Identify HTTP parsing chain:

Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	Full HTTP parsing chain for the application has been identified

Experiment

Probe for vulnerable differences in HTTP parsing chain:

Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Create many consecutive requests to the server. Some of which must be malformed.	env-Web
2	Use a proxy tool to record the HTTP responses headers.	env-Web

Indicators

ID	type	Indicator Description	Environments
1	Positive	At some point, the server is waiting for more request information to send the last response.	env-Web
2	Inconclusive	No response is being received.	env-Web
3	Negative	Malformed HTTP requests are being totally ignored.	env-Web
4	Negative	Responses are being sent even if the HTTP header is incomplete.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	One layer in the application's HTTP parsing chain processes HTTP Requests that other layers do not. The server smuggles the user request into the last attacker's request and transport data such as cookie, etc.
2	Failure	The server replies with an error to the last attacker's request.
3	Inconclusive	No response for the last incomplete request from the attacker by the server

Security Controls

ID	type	Security Control Description
1	Detective	Monitor requests to the server that seem malformed.

Exploit

Cache poisoning:

The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	The attacker gets the users to be served with this cached malicious HTTP request.

Security Controls

ID	type	Security Control Description
1	Detective	Monitor server logs for consecutive suspicious HTTP requests.

Session Hijacking:

The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management.

Attack Step Techniques

ID	Attack Step Technique Description	Environments
1	Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.	env-Web

Outcomes

ID	type	Outcome Description
1	Success	The attacker gets the application/web server to act on the malicious HTTP request and allows the attacker to gain control of the target user's session.

Security Controls

ID	type	Security Control Description
1	Preventative	Monitor server logs for consecutive suspicious HTTP requests.

Attack Prerequisites

An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server

Differences in the way the two HTTP entities parse HTTP requests

Typical Likelihood of Exploit

Likelihood: Medium

Methods of Attack

Protocol Manipulation
Injection

Examples-Instances

Description

When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks.

Related Vulnerabilities

CVE-2006-6276

Description

Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0".

Related Vulnerabilities

CVE-2005-2088

Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests.

Resources Required

None

Probing Techniques

If system documentation is available, the attacker can look up the exact versions of the two targeted entities, since different versions of the same system often behave differently. The attacker can also use product-specific documentation to figure out differences in parsing HTTP requests between the two entities.

In case where no documentation is available, the attacker needs to reliably fingerprint the targeted entities to discover the nature and version of the entities. Having done this, the attacker then needs to experimentally determine how the two entities differ in parsing requests.

Indicators-Warnings of Attack

Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool.

Solutions and Mitigations

HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration.

Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well.

Attack Motivation-Consequences

Run Arbitrary Code
Privilege Escalation
Data Modification

Injection Vector

HTTP requests that are interpreted and parsed differently by the targeted entities.

Payload

HTTP request to be smuggled through the first entity to the second one.

Activation Zone

The application server behind another HTTP entity

Payload Activation Impact

The impact of activation is that a particular request that was not supposed to pass through the first entity is received by the second entity who responds to it. This can defeat protection against malware or lead to Cross-Site Scripting

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
444	Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')	Targeted
436	Interpretation Conflict	Secondary
707	Failure to Enforce that Messages or Data are Well-Formed	Targeted

Relevant Security Requirements

System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.

Purposes

Penetration

CIA Impact

Confidentiality Impact: Medium

Integrity Impact: Medium

Availability Impact: Low

Technical Context

Architectural Paradigms	Client-Server n-Tier
Frameworks	All
Platforms	All
Languages	All

References

CWE - HTTP Request Smuggling

CWE - Multiple Interpretation Error

Content History

Submissions
Submitter	Date	Comments
Chiradeep B Chhaya	2007-01-10	First Draft

Modifications
Modifier	Organization	Date	Comments
Malik Hamro	Cigital, Inc	2007-02-27	Reformat to new schema and review
Sean Barnum	Cigital, Inc	2007-03-05	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Description
Sean Barnum	Cigital, Inc	2007-04-13	Modified pattern content according to review and feedback
Romain Gaucher	Cigital, Inc	2009-02-10	Created draft content for detailed description
Sean Barnum	Cigital Federal, Inc	2009-04-13	Reviewed and revised content for detailed description

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us