HTTP request smuggling: Difference between revisions
m v2.04b - Bot T5 CW#90 - Fix errors for CW project (Internal link written as an external link) |
→TE.CL: A rare instance of me adding content |
||
Line 9: | Line 9: | ||
===TE.CL=== |
===TE.CL=== |
||
In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using [[List of HTTP header fields#content-length-response-header|Content-Length header]].<ref name="portswigger1" /> |
In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using [[List of HTTP header fields#content-length-response-header|Content-Length header]].<ref name="portswigger1" /> |
||
===TE.TE=== |
|||
In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a faw that makes one of the servers but not the other one ignore it.<ref name="portswigger1" /> |
|||
==Prevention== |
==Prevention== |
Revision as of 20:15, 28 November 2021
HTTP |
---|
![]() |
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
HTTP request smuggling is a security exploit on the HTTP protocol that uses inconsistency between the interpretation of Content-length
and/or Transfer-encoding
headers between HTTP server implementations in an HTTP proxy server chain.[1][2] It was first documented in 2005 by Linhart et al.[3], and was again repopularized by PortSwigger's research.[4]
Types
CL.TE
In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.[4]
TE.CL
In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.[4]
TE.TE
In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a faw that makes one of the servers but not the other one ignore it.[4]
Prevention
HTTP/2 should be used for backend connections and web server accepting same type of HTTP header should be used. [4]
References
- ^ "CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)". cwe.mitre.org. Retrieved 2020-03-13.
- ^ "What is HTTP request smuggling? Tutorial & Examples | Web Security Academy". portswigger.net. Retrieved 2020-03-13.
- ^ Linhart, Chaim; Klein, Amit; Heled, Ronen; Orrin, Steve (2005). "HTTP request smuggling" (PDF).
- ^ a b c d e "HTTP request smuggling".