HTTP request smuggling: Difference between revisions
m Reverted 1 edit by 4everbrillent (talk) to last revision by Serols |
BrandonS23 (talk | contribs) Elaborating on the sections in this Wiki Tag: Disambiguation links added |
||
| Line 1: | Line 1: | ||
{{short description|Web security vulnerability}} |
{{short description|Web security vulnerability}} |
||
{{HTTP}} |
{{HTTP}} |
||
'''HTTP request smuggling''' is a [[security exploit]] on the [[HTTP]] protocol that |
First document in 2005 by Linhart et al.<ref name="HRS">{{cite web|url=https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf|title=HTTP request smuggling|date=2005|last=Linhart|first=Chaim|last2=Klein|first2=Amit|last3=Heled|first3=Ronen|last4=Orrin|first4=Steve}}</ref> , '''HTTP request smuggling''' is a [[security exploit]] on the [[HTTP]] protocol that takes advantage of an inconsistency between the interpretation of [[List of HTTP header fields#content-length-response-header|<code>Content-Length</code>]] and/or [[List of HTTP header fields#transfer-encoding-response-header|<code>Transfer-Encoding</code>]] headers between HTTP server implementations in an [[HTTP proxy server]] chain.<ref>{{Cite web|url=https://cwe.mitre.org/data/definitions/444.html|title=CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)|website=cwe.mitre.org|access-date=2020-03-13}}</ref><ref name="portswigger1">{{Cite web|url=https://portswigger.net/web-security/request-smuggling|title=What is HTTP request smuggling? Tutorial & Examples {{!}} Web Security Academy|website=portswigger.net|access-date=2020-03-13}}</ref> The Transfer-Encoding header works by defining a directive on how to interpret the body of the [[HTTP request]], with the common and necessary directive for this attack being the [[Chunked transfer encoding]].<ref name ="mozillatransfer">{{Cite web|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding|title=Transfer-Encoding|website=developer.mozilla.org|access-date=2022-12-15}}</ref> When the Transfer-Encoding header is present, the Content-Length header is supposed to be omitted.<ref name="mozillatransfer" /> Working similarly but with a different syntax, the Content-Length header works by specifying the size in bytes of the body as a value in the header itself. <ref name="mozillacontentlength">{{Cite web|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Length#:~:text=The%20Content%2DLength%20header%20indicates,bytes%2C%20sent%20to%20the%20recipient.|title=Content-Length|website=developer.mozilla.org|access-date=2022-12-15}}</ref> Vulnerabilities arise when both of these headers are included in a malicious HTTP request, bypassing security functions meant to prevent malicious HTTP queries to the server by causing either the [[front-end]] or [[back-end]] server to incorrectly interpret the request. <ref name="imperva">{{Cite web|url=https://www.imperva.com/learn/application-security/http-request-smuggling/#:~:text=An%20HTTP%20request%20smuggling%20vulnerability,through%20a%20malicious%20HTTP%20query|title=HTTP Request Smuggling|website=imperva.com|access-date=2022-12-15}}</ref> HTTP request smuggling commonly takes the form of CL.TE, TE.CL, or TE.TE, although more complex attacks using HRS do exist. <ref name='imperva' /> |
||
==Types== |
==Types== |
||
{{One source|section|date=November 2021}} |
{{One source|section|date=November 2021}} |
||
===CL.TE=== |
===CL.TE=== |
||
In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.<ref name="portswigger1" /> |
In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.<ref name="portswigger1" /> The attack would be carried out with the first part of the request declaring a zero length chunk. <ref name="imperva" /> The front end server seeing this would only read the first part of the request and unintentionally pass the second part to the back end server. <ref name="imperva" /> Once passed through to the back end server, it would be treated as the next request and processed, carrying out the attackers hidden request. <ref name="imperva" /> |
||
===TE.CL=== |
===TE.CL=== |
||
In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.<ref name="portswigger1" /> |
In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.<ref name="portswigger1" /> In this attack, a hacker would declare the valid length of the first chunk, which houses the malicious request and then declare a second chunk with a length of 0. <ref name ="imperva" /> When the front end server sees the second chunk with a length of 0 it believes the request to be complete and passes it along to the back end server. <ref name="imperva" /> The back end server processes the request using the Content-Length header, however, and as a result the malicious request left in the first chunk go unprocessed until they are treating as being at the start of next request in the sequence and are carried out. <ref name="portswigger1" /> |
||
===TE.TE=== |
===TE.TE=== |
||
In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a way (for example by nonstandard whitespace formatting or duplicate headers) that makes one of the servers but not the other one ignore it.<ref name="portswigger1" /> |
In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a way (for example by nonstandard whitespace formatting or duplicate headers) that makes one of the servers but not the other one ignore it.<ref name="portswigger1" /> Obscuring the header may take the form of adding in an incorrect character, such as Transfer-Encoding: xchunked, or an unusual new line character between 'Transfer-Encoding' and ': chunked'. <ref name="imperva" /> If one of the front of back end servers still processes these obfuscated HTTP requests, then the rest of the attack will be similar to how CL.TE or TE.CL attacks work. <ref name="imperva" /> |
||
==Prevention== |
==Prevention== |
||
[[HTTP/2]] is not vulnerable to request smuggling attacks |
The best prevention to these attacks would clearly be if front end and back end servers interpreted HTTP requests the same way. However, this is usually not an option as load balancers that support backed servers run on distinct platforms, meaning you cannot run the same software on both the front end and the back end. <ref name="imperva" /> A way to prevent against most variants of this attack is by using [[HTTP/2]] as it is not vulnerable to most request smuggling attacks, using a different method for determining the length of a request. Another method of avoiding the attack is for the frontend server to normalize HTTP requests before passing them to the backend, ensuring that they get interpreted in the same way. <ref name="portswigger1" /> Configuring a [[web application firewall]] is another good way to prevent HRS attacks as many feature technology that identify attack attempts and either blocks or sanitize the suspicious incoming requests.<ref name="imperva" /> |
||
== References == |
== References == |
||
{{reflist}} |
{{reflist}} |
||
[[Category:Web security exploits]] |
[[:Category:Web security exploits]] |
||
[[Category:Hypertext Transfer Protocol headers]] |
[[:Category:Hypertext Transfer Protocol headers]] |
||
Revision as of 18:45, 16 December 2022
| HTTP |
|---|
 |
| Request methods |
| Header fields |
| Response status codes |
| Security access control methods |
| Security vulnerabilities |
First document in 2005 by Linhart et al.[1] , HTTP request smuggling is a security exploit on the HTTP protocol that takes advantage of an inconsistency between the interpretation of Content-Length and/or Transfer-Encoding headers between HTTP server implementations in an HTTP proxy server chain.[2][3] The Transfer-Encoding header works by defining a directive on how to interpret the body of the HTTP request, with the common and necessary directive for this attack being the Chunked transfer encoding.[4] When the Transfer-Encoding header is present, the Content-Length header is supposed to be omitted.[4] Working similarly but with a different syntax, the Content-Length header works by specifying the size in bytes of the body as a value in the header itself. [5] Vulnerabilities arise when both of these headers are included in a malicious HTTP request, bypassing security functions meant to prevent malicious HTTP queries to the server by causing either the front-end or back-end server to incorrectly interpret the request. [6] HTTP request smuggling commonly takes the form of CL.TE, TE.CL, or TE.TE, although more complex attacks using HRS do exist. [6]
Types
 | This section relies largely or entirely on a single source. (November 2021) |
CL.TE
In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.[3] The attack would be carried out with the first part of the request declaring a zero length chunk. [6] The front end server seeing this would only read the first part of the request and unintentionally pass the second part to the back end server. [6] Once passed through to the back end server, it would be treated as the next request and processed, carrying out the attackers hidden request. [6]
TE.CL
In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.[3] In this attack, a hacker would declare the valid length of the first chunk, which houses the malicious request and then declare a second chunk with a length of 0. [6] When the front end server sees the second chunk with a length of 0 it believes the request to be complete and passes it along to the back end server. [6] The back end server processes the request using the Content-Length header, however, and as a result the malicious request left in the first chunk go unprocessed until they are treating as being at the start of next request in the sequence and are carried out. [3]
TE.TE
In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a way (for example by nonstandard whitespace formatting or duplicate headers) that makes one of the servers but not the other one ignore it.[3] Obscuring the header may take the form of adding in an incorrect character, such as Transfer-Encoding: xchunked, or an unusual new line character between 'Transfer-Encoding' and ': chunked'. [6] If one of the front of back end servers still processes these obfuscated HTTP requests, then the rest of the attack will be similar to how CL.TE or TE.CL attacks work. [6]
Prevention
The best prevention to these attacks would clearly be if front end and back end servers interpreted HTTP requests the same way. However, this is usually not an option as load balancers that support backed servers run on distinct platforms, meaning you cannot run the same software on both the front end and the back end. [6] A way to prevent against most variants of this attack is by using HTTP/2 as it is not vulnerable to most request smuggling attacks, using a different method for determining the length of a request. Another method of avoiding the attack is for the frontend server to normalize HTTP requests before passing them to the backend, ensuring that they get interpreted in the same way. [3] Configuring a web application firewall is another good way to prevent HRS attacks as many feature technology that identify attack attempts and either blocks or sanitize the suspicious incoming requests.[6]
References
- ^ Linhart, Chaim; Klein, Amit; Heled, Ronen; Orrin, Steve (2005). "HTTP request smuggling" (PDF).
- ^ "CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)". cwe.mitre.org. Retrieved 2020-03-13.
- ^ a b c d e f "What is HTTP request smuggling? Tutorial & Examples | Web Security Academy". portswigger.net. Retrieved 2020-03-13.
- ^ a b "Transfer-Encoding". developer.mozilla.org. Retrieved 2022-12-15.
- ^ "Content-Length". developer.mozilla.org. Retrieved 2022-12-15.
- ^ a b c d e f g h i j k "HTTP Request Smuggling". imperva.com. Retrieved 2022-12-15.
Category:Web security exploits Category:Hypertext Transfer Protocol headers
 | This World Wide Web–related article is a stub. You can help Wikipedia by expanding it. |