HTTP Response Smuggling
Attack Pattern ID: 273 (Detailed Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker injects content into a server response that is interpreted differently by intermediaries than it is by the target browser. To do this, it takes advantage of inconsistent or incorrect interpretations of the HTTP protocol by various applications. For example, it might use different block terminating characters (CR or LF alone), adding duplicate header fields that browsers interpret as belonging to separate responses, or other techniques. Consequences of this attack can include response-splitting, cross-site scripting, apparent defacement of targeted sites, cache poisoning, or similar actions.

+ Attack Prerequisites

The targeted server must allow the attacker to insert content that will appear in the server's response.

+ Resources Required

No special resources are needed for this attack.

+ Solutions and Mitigations

Design: Employ strict adherence to interpretations of HTTP messages wherever possible.

Implementation: Encode header information provided by user input so that user-supplied content is not interpreted by intermediaries.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
74Failure to Sanitize Data into a Different Plane ('Injection')Secondary
436Interpretation ConflictTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
PeerOfAttack PatternAttack Pattern33HTTP Request Smuggling 
Mechanism of Attack1000
ChildOfAttack PatternAttack Pattern220Client-Server Protocol Manipulation 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory360WASC Threat Classification 2.0 - WASC-27 - HTTP Response Smuggling 
WASC Threat Classification 2.0333