Interesting Stuff

What is HTTP request smuggling?

admin

What is HTTP Request Smuggling?

HTTP request smuggling is a technique used to interfere with the way a website processes sequences of HTTP requests received from users. This vulnerability can be critical, enabling attackers to bypass security controls, access sensitive data, and compromise other users.

How Request Smuggling Vulnerabilities Arise

Request smuggling mainly affects HTTP/1 requests and can occur due to differences in handling the Content-Length and Transfer-Encoding headers, which both specify the length of an HTTP message. These vulnerabilities arise when front-end and back-end servers interpret these headers differently, especially in environments with multiple HTTP servers.

How HTTP Request Smuggling Attacks Work

In typical web architectures, user requests pass through a chain of HTTP servers. Request smuggling exploits differences in how these servers parse headers. The attack often involves crafting requests with conflicting Content-Length and Transfer-Encoding headers, causing servers to disagree on where one request ends and the next begins.

Types of HTTP Request Smuggling Attacks

  1. CL.TE (Content-Length then Transfer-Encoding):
    • The front-end server uses the Content-Length header.
    • The back-end server uses the Transfer-Encoding header.
    • Example: A request is crafted such that the front-end server reads the entire body, while the back-end server misinterprets part of it as a new request.
  2. TE.CL (Transfer-Encoding then Content-Length):
    • The front-end server uses the Transfer-Encoding header.
    • The back-end server uses the Content-Length header.
    • Example: The front-end server processes chunks correctly, but the back-end server misinterprets leftover data as a new request.
  3. TE.TE (Transfer-Encoding to Transfer-Encoding):
    • Both servers support the Transfer-Encoding header.
    • One server is tricked into ignoring it through obfuscation.
    • Example: The Transfer-Encoding header is obfuscated in various ways, causing only one server to process it, leading to request boundary mismatches.

Prevention and Mitigation

To prevent request smuggling, ensure consistency in how headers are handled across all servers in the request chain. Strictly adhering to the HTTP specification and validating headers can mitigate these vulnerabilities.

This summary provides an overview of HTTP request smuggling, highlighting how these attacks exploit differences in header processing between servers.

Full Article : https://hacklido.com/blog/834-what-is-http-request-smuggling

Tags: EXPLOIT, VULNERABILITY