HTTP Request Smuggling
Attack Pattern ID: 33 (Detailed Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Attack Execution Flow

Explore
  1. Identify HTTP parsing chain:

    Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    Full HTTP parsing chain for the application has been identified
Experiment
  1. Probe for vulnerable differences in HTTP parsing chain:

    Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Create many consecutive requests to the server. Some of which must be malformed.

    env-Web
    2

    Use a proxy tool to record the HTTP responses headers.

    env-Web

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    At some point, the server is waiting for more request information to send the last response.

    env-Web
    2Inconclusive

    No response is being received.

    env-Web
    3Negative

    Malformed HTTP requests are being totally ignored.

    env-Web
    4Negative

    Responses are being sent even if the HTTP header is incomplete.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    One layer in the application's HTTP parsing chain processes HTTP Requests that other layers do not. The server smuggles the user request into the last attacker's request and transport data such as cookie, etc.
    2Failure
    The server replies with an error to the last attacker's request.
    3Inconclusive
    No response for the last incomplete request from the attacker by the server

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Monitor requests to the server that seem malformed.
Exploit
  1. Cache poisoning:

    The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    The attacker gets the users to be served with this cached malicious HTTP request.

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Monitor server logs for consecutive suspicious HTTP requests.
  2. Session Hijacking:

    The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    The attacker gets the application/web server to act on the malicious HTTP request and allows the attacker to gain control of the target user's session.

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Monitor server logs for consecutive suspicious HTTP requests.
+ Attack Prerequisites

An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server

Differences in the way the two HTTP entities parse HTTP requests

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Protocol Manipulation
  • Injection
+ Examples-Instances

Description

When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks.

Related Vulnerabilities

CVE-2006-6276

Description

Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0".

Related Vulnerabilities

CVE-2005-2088

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests.

+ Resources Required

None

+ Probing Techniques

If system documentation is available, the attacker can look up the exact versions of the two targeted entities, since different versions of the same system often behave differently. The attacker can also use product-specific documentation to figure out differences in parsing HTTP requests between the two entities.

In case where no documentation is available, the attacker needs to reliably fingerprint the targeted entities to discover the nature and version of the entities. Having done this, the attacker then needs to experimentally determine how the two entities differ in parsing requests.

+ Indicators-Warnings of Attack

Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool.

+ Solutions and Mitigations

HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration.

Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well.

+ Attack Motivation-Consequences
  • Run Arbitrary Code
  • Privilege Escalation
  • Data Modification
+ Injection Vector

HTTP requests that are interpreted and parsed differently by the targeted entities.

+ Payload

HTTP request to be smuggled through the first entity to the second one.

+ Activation Zone

The application server behind another HTTP entity

+ Payload Activation Impact

The impact of activation is that a particular request that was not supposed to pass through the first entity is received by the second entity who responds to it. This can defeat protection against malware or lead to Cross-Site Scripting

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
444Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')Targeted
436Interpretation ConflictSecondary
707Improper Enforcement of Message or Data StructureTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern220Client-Server Protocol Manipulation 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory359WASC Threat Classification 2.0 - WASC-26 - HTTP Request Smuggling 
WASC Threat Classification 2.0333
PeerOfAttack PatternAttack Pattern273HTTP Response Smuggling 
Mechanism of Attack1000
+ Relevant Security Requirements

System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.

+ Related Security Principles
  • Economy of Mechanism

  • Securing the Weakest Link

+ Related Guidelines
  • Carefully Study Other Systems Before Incorporating Them into Your System

  • Design Configuration Subsystems Correctly and Distribute Safe Default Configurations

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References

CWE - HTTP Request Smuggling

CWE - Multiple Interpretation Error

+ Content History
Submissions
SubmitterDateComments
Chiradeep B Chhaya2007-01-10First Draft
Modifications
ModifierOrganizationDateComments
Malik HamroCigital, Inc2007-02-27Reformat to new schema and review
Sean BarnumCigital, Inc2007-03-05Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Description
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Romain GaucherCigital, Inc2009-02-10Created draft content for detailed description
Sean BarnumCigital Federal, Inc2009-04-13Reviewed and revised content for detailed description