HTTP Request Smuggling
Introduction
HTTP request smuggling is a type of web vulnerability that occurs when an attacker is able to send multiple HTTP requests to a server in a way that causes the server to process them in an unintended manner. This can lead to a number of security problems, including:
Denial of Service (DoS) attacks: An attacker could use HTTP request smuggling to send a large number of requests to a server, overwhelming it and causing it to become unavailable to legitimate users.
Data leakage: An attacker could use HTTP request smuggling to manipulate the way that a server processes requests, potentially allowing them to access sensitive information that would otherwise be protected.
Cross-Site Scripting (XSS) attacks: An attacker could use HTTP request smuggling to inject malicious code into a server's response, potentially allowing them to execute code on the client's machine.
Most of today's web applications are composed of a front-end server (which might be a load balancer or reverse proxy) that forwards the request to a back-end server (which actually performs the request).
The requests to the back-end server are typically sent over the same connection due to its better performance. This means that every HTTP request is sent one after another, so the front-end and back-end must agree on the boundaries between requests.
There are two different ways to specify where a request ends: the Content-Length
header and the Transfer-Encoding
header.
The Content-Length
header specifies the number of bytes that compose the message body:
The Transfer-Encoding
header species that the message body is going to be sent in a series of chunks rather than a single message. Each chunk is composed of the chunk size in bytes (expressed in hexadecimal), a new line, the content of the chunk, and a new line terminating in zero.
HTTP smuggling attacks
CL.TE.
The front-end (FE) uses the Content-Length
header, and the back-end server uses the Transfer-Encoding
header.
TE.CL.
The front-end server uses the Transfer-Encoding
header, and the back-end server uses the Content-Length
header.
TE.TE.
The front-end and back-end servers both support the Transfer-Encoding
header. To avoid one of the servers processing the header, it is required to obfuscate the header in some way.
Here there is a list of obfuscation examples:
Tools
References
Last updated