HTTP Request Splitting
Attack Pattern ID: 105 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two.

There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targetting specific parsing vulnerabilities in certain web servers.

Attack Execution Flow

Explore
  1. Investigate Target Environment:

    Determine the technologies used in the target environment such as types of browsers, web servers, application firewalls, proxies, etc.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand how HTTP Request headers are parsed

    env-Web
Exploit
  1. Post a malicious HTTP Request:

    Post a malicious HTTP request that will be interpreted as multiple HTTP requests when parsed on the server

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Post a malicious HTTP Request utilizing double CR/LF characters in HTTP header to cause request splitting

    env-Web
    2

    Post a malicious HTTP Request utilizing "Transfer Encoding: chunked" in the request header to cause request splitting

    env-Web
    3

    Post a malicious HTTP Request utilizing double Content-Length headers to cause request splitting

    env-Web
+ Attack Prerequisites

User-manipulatable HTTP Request headers are processed by the web server

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Protocol Manipulation
  • Injection
  • Analysis
+ Examples-Instances

Description

Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks.

The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices.

Microsoft has confirmed the vulnerability and released software updates

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Good understanding of the HTTP protocol and the parsing mechanisms employed by various web servers

+ Resources Required

Low: No specialized equipment is needed

+ Probing Techniques

Issue HTTP Requests against a target server and examine responses.

+ Solutions and Mitigations

Make sure to install the latest vendor security patches available for the web server.

If possible, make use of SSL.

Install a web application firewall that has been secured against HTTP Request Splitting

Use web servers that employ a tight HTTP parsing process

+ Attack Motivation-Consequences
  • Run Arbitrary Code
  • Privilege Escalation
  • Information Leakage
  • Data Modification
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
436Interpretation ConflictTargeted
444Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')Secondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern220Client-Server Protocol Manipulation 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory357WASC Threat Classification 2.0 - WASC-24 - HTTP Request Splitting 
WASC Threat Classification 2.0333
ParentOfAttack PatternAttack Pattern187Malicious Automated Software Update 
Mechanism of Attack (primary)1000
+ Relevant Security Requirements

System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.

+ Related Security Principles
  • Economy of Mechanism

  • Secure the Weakest Link

  • Compartmentalization

  • Defense in Depth

+ Related Guidelines
  • Understand the possible underlying weaknesses in the third party technologies being used and stay up to date with the vendor patches.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateComments
Evgeny LebanidzeCigital, Inc2009-01-12Initial core pattern content
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital Federal, Inc.2009-04-20Refinement of pattern content