HTTP Request Smuggling

Overview of the attack

HTTP Request Smuggling exploits differences in the way entities between the user and the web server handle the HTTP request sent by the user. By crafting HTTP requests in certain ways, the attacker can cause some of the entities ignore part of the requests. These parts can be used to smuggle HTTP request information past those entities. The attack potentially allows the attacker to carry out cross-site scripting, cache poisoning, session hijacking and to bypass web-application firewalls.

What makes a site vulnerable to the attack?

The vulnerability which causes HTTP request smuggling does not reside within the website itself, but within the components such as web-applications which protect the site and in cache servers which cache frequently requested web pages. Some of these components will not correctly handle malformed HTTP requests. If a HTTP request declares its length twice, giving two different values, then some components will treat the HTTP request as though it was one length, and some will treat it as the other. A component such as a web-application firewall may check only part of the HTTP request for attacks, allowing the remainder to reach the web server unchecked. If the web server recognises that part of the HTTP request then it may be affected by any attack contained in that part.

Impact of the attack

By smuggling in a request the attacker may be able to cause a cache to associate one URL with the content of the page at another URL, making cache poisoning possible. The attack can enable an attacker to sneak malicious code (e.g. a worm) past a web-application firewall. The attack can also disrupt the web server’s sequencing of requests and responses (as an extra request is inserted), in such a way as to enable the attacker to hijack the user’s session.

Preventing the attack

HTTP request smuggling results from differences in the way different devices / software interpret HTTP requests, rather than from any particular error in the website itself. As a result, modifying the website is unlikely to provide a solution. Ultimately the most viable solution may be to investigate your choice of web server, cache server and web-application firewall. The final choices for these components should be ones which offer resistance against HTTP request smuggling.