Skip to main content

HTTP request smuggling

Description

The system uses one or more entities, such as a proxy or a firewall, to process requests between the client and the server. These entities do not process HTTP requests consistently, thus making it possible to post malformed requests to get one of the entities to process a request without the other ones noticing it. The reason the entities do not process the requests consistently is that the web server software each one uses delimits requests differently.

Impact

Allow an attacker to send an ambiguous HTTP request between front-end and back-end system.

Recommendation

Use the same web servers software on the front-end and back-end servers, making the delimiters among the requests coincide each other.

Threat

Unauthorized attacker from the Internet.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 6.5
    • Temporal: 6.5
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The front end and back end servers should share the same web server configuration

//Front end server uses the content-length header
POST /search HTTP/1.1
Host: normal-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

//Back end server uses the Transfer-Encoding header
POST / HTTP/1.1
Host: normal-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

Non compliant code

Different header configurations between front-end and back end servers allow a potential attacker to infiltrate the backend server by sending a request to the front end that is ultimately interpreted by the back end

//Front end server uses the content-length header
POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

//Back end server uses the Transfer-Encoding header
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

Requirements

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.