Home > CAPEC List > CAPEC-33: HTTP Request Smuggling (Version 3.0)  

CAPEC-33: HTTP Request Smuggling

Attack Pattern ID: 33
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.220Client-Server Protocol Manipulation
PeerOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.273HTTP Response Smuggling
+ Execution Flow
Explore
  1. Identify HTTP parsing chain: Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc. Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.

    Techniques
    Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.
Experiment
  1. Probe for vulnerable differences in HTTP parsing chain: Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers. Create many consecutive requests to the server. Some of which must be malformed. Use a proxy tool to record the HTTP responses headers.

    Techniques
    Create many consecutive requests to the server. Some of which must be malformed.
    Use a proxy tool to record the HTTP responses headers.
Exploit
  1. Cache poisoning: The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability. Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.

    Techniques
    Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.
  2. Session Hijacking: The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management. Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.

    Techniques
    Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.
+ Prerequisites
An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server
Differences in the way the two HTTP entities parse HTTP requests
+ Skills Required
[Level: High]
The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests.
+ Resources Required
None: No specialized resources are required to execute this type of attack.
+ Indicators
Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
Confidentiality
Access Control
Authorization
Gain Privileges
Integrity
Modify Data
+ Mitigations
HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration.
Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well.
+ Example Instances
When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276
Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0". See also: CVE-2005-2088
+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
NatureTypeIDName
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.359WASC-26 - HTTP Request Smuggling
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Resources_Required
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018