Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks.
Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0".
Skill or Knowledge Level: High
The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests.
If system documentation is available, the attacker can look up the exact versions of the two targeted entities, since different versions of the same system often behave differently. The attacker can also use product-specific documentation to figure out differences in parsing HTTP requests between the two entities.
In case where no documentation is available, the attacker needs to reliably fingerprint the targeted entities to discover the nature and version of the entities. Having done this, the attacker then needs to experimentally determine how the two entities differ in parsing requests.
Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool.
HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration.
Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well.
The impact of activation is that a particular request that was not supposed to pass through the first entity is received by the second entity who responds to it. This can defeat protection against malware or lead to Cross-Site Scripting
System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.
[R.33.1] [REF-3] "Common Weakness Enumeration (CWE)". CWE-444 - HTTP Request Smuggling. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/444.html>.
More information is available — Please select a different filter.