Home > CAPEC List > CAPEC-33: HTTP Request Smuggling (Version 2.11)  

CAPEC-33: HTTP Request Smuggling

 
HTTP Request Smuggling
Definition in a New Window Definition in a New Window
Attack Pattern ID: 33
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

+ Attack Steps
Explore
  1. Identify HTTP parsing chain: Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc.

    Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.

Experiment
  1. Probe for vulnerable differences in HTTP parsing chain: Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers.

    Create many consecutive requests to the server. Some of which must be malformed.

    Use a proxy tool to record the HTTP responses headers.

Exploit
  1. Cache poisoning: The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability.

    Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.

  2. Session Hijacking: The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management.

    Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.

+ Attack Prerequisites
  • An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server

  • Differences in the way the two HTTP entities parse HTTP requests

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Protocol Manipulation
  • Injection
+ Examples-Instances

Description

When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks.

Related Vulnerabilities

Description

Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0".

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests.

+ Resources Required

None: No specialized resources are required to execute this type of attack.

+ Probing Techniques

If system documentation is available, the attacker can look up the exact versions of the two targeted entities, since different versions of the same system often behave differently. The attacker can also use product-specific documentation to figure out differences in parsing HTTP requests between the two entities.

In case where no documentation is available, the attacker needs to reliably fingerprint the targeted entities to discover the nature and version of the entities. Having done this, the attacker then needs to experimentally determine how the two entities differ in parsing requests.

+ Indicators-Warnings of Attack

Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool.

+ Solutions and Mitigations

HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration.

Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
+ Injection Vector

HTTP requests that are interpreted and parsed differently by the targeted entities.

+ Payload

HTTP request to be smuggled through the first entity to the second one.

+ Activation Zone

The application server behind another HTTP entity

+ Payload Activation Impact

The impact of activation is that a particular request that was not supposed to pass through the first entity is received by the second entity who responds to it. This can defeat protection against malware or lead to Cross-Site Scripting

+ Relevant Security Requirements

System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.33.1] [REF-3] "Common Weakness Enumeration (CWE)". CWE-444 - HTTP Request Smuggling. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/444.html>.
[R.33.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-436 - Multiple Interpretation Error. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/436.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Related_Attack_Patterns, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017