HTTP Request Smuggling

Popularity:

2

Simplicity:

2

Impact:

7

Risk Rating:

4

This attack does not rely on an existing vulnerability within the web application, but within the web architecture itself. It relies on varying implementations of the HTTP protocol for the various vendors and products that have been used, such as how to handle requests containing two Content-Length headers. This attack was developed by Watchfire, which has since been acquired by IBM. The original whitepaper can be found at https://www.watchfire.com/securearea/whitepapers.aspx.

In the following example, the virtual hosts www.example.com and www.malicious_ site.com are hosted on the same server with the same IP address:

1 POST http://www.example.com/welcome.html HTTP/1.1

2 Host: www.example.com

3 Content-Type: text/html

4 Content-Length: 0

5 Content-Length: 69

7 GET /fakelogin.html HTTP/1.1

8 Host: www.malicious site.com

9 Myheader: [space but no CR LF]

10 GET http://www.example.com/login.html HTTP/1.1

11 Host: www.example.com

Let's say that the web caching proxy in use on the network has implemented the HTTP protocol to accept the last Content-Length header as the valid header; therefore, accepting the following 69 characters, lines 7-9, to be the request body for welcome. html. This allows the proxy to then continue straight on to parse the request contained within lines 10-12 for the login.html page.

Now that the proxy has passed this content to the web server, let's analyze how the web server would parse these requests, assuming that it accepts the first Content-Length header that it sees to be the valid header. Since the first Content-Length value is 0, the web server accepts the first request to be lines 1-6, returning welcome.html, which the proxy has also determined. This allows the web server to then continue straight to parsing the request starting at line 7; however, because line 9 does not have a CRLF at the end, line 10 is parsed as the value of the Myheader header. Therefore, the second request consists of lines 7-12 returning page fakelogin.html.

This causes a conflict between what page the proxy was expecting and what the web server actually returned. Assuming that these are cacheable pages, the proxy would cache the http://www.malicious_site.com/fakelogin.html page under the URL http://www.example.com/login.html. At this point, if any users request the login.html page, the proxy will return the contents of fakelogin.html.

This can lead to attacks such as capturing authentication credentials, session hijacking, cross-site scripting, and even the ability to bypass intrusion prevention systems or web application firewalls by smuggling malicious HTTP requests through to the web server.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment