New to CAPEC? Start Here
Home > CAPEC List > CAPEC-273: HTTP Response Smuggling (Version 3.9)  

CAPEC-273: HTTP Response Smuggling

Attack Pattern ID: 273
Abstraction: Detailed
View customized information:
+ Description

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

+ Extended Description

In the maliciously manipulated HTTP response, an adversary can add duplicate header fields that HTTP agents interpret as belonging to separate responses.

The combined HTTP response ends up being parsed or interpreted as two or more HTTP responses by the targeted client HTTP agent. This allows malicious HTTP responses to bypass security controls. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.

This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]

Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

This differs from CAPEC-33 HTTP Request Smuggling, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Smuggling is an attempt to compromise a client agent (e.g., web browser) .

HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.

+ Alternate Terms

Term: HTTP Desync

Modification/manipulation of HTTP message headers, request-line and body parameters to disrupt and interfere in the interpretation and parsing of HTTP message lengths/boundaries for consecutive HTTP messages by HTTP agents in a HTTP chain or network path.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.220Client-Server Protocol Manipulation
PeerOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.33HTTP Request Smuggling
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.63Cross-Site Scripting (XSS)
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.115Authentication Bypass
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.141Cache Poisoning
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.148Content Spoofing
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.154Resource Location Spoofing
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.593Session Hijacking
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.
Experiment
  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure to intended targets in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

  2. Cause differential HTTP responses by experimenting with identified HTTP Response vulnerabilities: The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP response. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    Techniques
    Continue the monitoring of HTTP traffic.

    Inject additional HTTP headers to utilize various combinations of HTTP Headers within a single HTTP message such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded message or data in the body of the original message are unprocessed and treated as part of subsequent messages by the intended target HTTP agent.

    From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences.

    • For CL;TE and TE;CL HTTP headers combination, the first HTTP agent, in the HTTP message path that receives the HTTP message, takes precedence or only processes the one header but not the other, while the second/final HTTP agent processes the opposite header allowing for embedded HTTP message to be ignored and smuggled to the intended target HTTP agent.
    • For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP messages to be smuggled. See Mitigations for details.

    Construct a very large HTTP message via multiple Content-Length headers of various data lengths that can potentially cause subsequent messages to be ignored by an intermediary HTTP agent (e.g., firewall) and/or eventually parsed separately by the target HTTP agent.

    Note that most modern HTTP infrastructure reject HTTP messages with multiple Content-Length headers.

    Monitor HTTP traffic using a tool such as a Network Protocol Analyzer.
Exploit
  1. Perform HTTP Response Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    Techniques
    Leverage techniques identified in the Experiment Phase.
+ Prerequisites
A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).
Differences in the way the two HTTP agents parse and interpret HTTP responses and its headers.
HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
+ Skills Required
[Level: Medium]
Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.
[Level: Medium]
Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.
[Level: Medium]
Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.
+ Resources Required
Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages.
+ Indicators
Differences in responses processed by the two agents. This requires careful monitoring or a capable log analysis tool.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
Confidentiality
Access Control
Authorization
Gain Privileges
Integrity
Modify Data
+ Mitigations
Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.
Configuration: front-end HTTP agents notice ambiguous requests.
Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.
Configuration: Disable reuse of back-end connections.
Configuration: Use HTTP/2 for back-end connections.
Configuration: Use the same web server software for front-end and back-end server.
Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.
Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.
Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.
Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:
  • Headers with no space before the value “chunked”
  • Headers with extra spaces
  • Headers beginning with trailing characters
  • Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)
  • Headers with multiple spaces before the value “chunked”
  • Headers with quoted values (whether single or double quotations)
  • Headers with CRLF characters before the value “chunked”
  • Values with invalid characters
Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)
Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.
Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.
+ Example Instances

When using Undertow, a Java-based web server in Red Hat's Jboss Enterprise Application Platform version 7.0, the code responsible for parsing HTTP requests permitted invalid characters, that could allow the injection of data into HTTP responses from Undertow to clients when used in tandem with a proxy; allowing for web-cache poisoning, XSS, and confidentiality violation of sensitive information from other HTTP requests sent to Undertow. See also: CVE-2017-2666

Mozilla Firefox and Thunderbird before 1.5.04, with various proxy servers, interpreted HTTP responses differently if HTTP response headers included a space between the header name and colon or if HTTP 1.1 headers were sent through a proxy configured with HTTP 1.0, allowing for HTTP Smuggling vulnerability. See also: CVE-2006-2786

+ Notes

Relationship

HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against.

Terminology

HTTP Splitting – "the act of forcing a sender of (HTTP) messages to emit data stream consisting of more messages than the sender’s intension. The messages sent are 100% valid and RFC compliant" [REF-117].

Terminology

HTTP Smuggling – "the act of forcing a sender of (HTTP) messages to emit data stream which may be parsed as a different set of messages (i.e. dislocated message boundaries) than the sender’s intention. This is done by virtue of forcing the sender to emit non-standard messages which can be interpreted in more than one way" [REF-117].
+ Taxonomy Mappings
Relevant to the WASC taxonomy mapping
Entry IDEntry Name
27HTTP Response Smuggling
+ References
[REF-38] "HTTP 1.1 Specification (RFC 2616)". IETF RFC. <http://www.ietf.org/rfc/rfc2616.txt>.
[REF-117] "HTTP Response Smuggling". Beyond Security. <http://www.securiteam.com/securityreviews/5CP0L0AHPC.html>.
[REF-675] Robert Auger. "HTTP Response Smuggling". The Web Application Security Consortium. 2011-02. <http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling>. URL validated: 2021-10-06.
[REF-676] Kazuho Oku. "Mozilla Foundation Security Advisory 2006-33 HTTP response smuggling". Mozilla Corporation. 2006-06-01. <https://www.mozilla.org/en-US/security/advisories/mfsa2006-33/>. URL validated: 2021-10-06.
[REF-677] "Testing for HTTP Splitting Smuggling". Open Web Application Security Project. <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html>. URL validated: 2021-10-06.
[REF-678] Edi Kogan and Daniel Kerman. "HTTP Desync Attacks in the Wild and How to Defend Against Them". Imperva. 2019-10-29. <https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/>. URL validated: 2021-10-06.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Resources_Required
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated References
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Likelihood_Of_Attack, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Resources_Required, Skills_Required, Typical_Severity
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Alternate_Terms, Extended_Description, Related_Weaknesses
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018