Request Smuggling

Request Smuggling

Overview of the Vulnerability

HTTP request smuggling is a vulnerability that occurs due to the discrepancies between the way two or more servers interprets a sequence of requests, such as there the servers using different mechanisms to determine where the boundaries are between requests.

These misconfigurations can lead to a broad range of issues that result in an attacker bypassing security controls, taking over other user's accounts, or gaining unauthorized access to sensitive content.

Business Impact

Depending on the type of misconfiguration found in the server, exposure or manipulation of data from within it could lead to financial loss and reputational damage for the business.

Steps to Reproduce

1. Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP, to record and intercept web traffic from your browser

2. Use a browser to navigate to: {{URL}}

3. Using the HTTP intercept proxy, alter the HTTP request header as follows: {{HTTP request}}

4. Send the request

5. Observe the response

Proof of Concept (PoC)

The screenshots below demonstrates the HTTP request smuggling vulnerability:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Your submission must include evidence of the vulnerability and not be theoretical in nature.

For HTTP request smuggling vulnerabilities, please include text based versions of the requests and responses alongside the screenshot to easily demonstrate and reproduce the issue. Attempt to escalate the vulnerability to perform additional actions (such as an account takeover). If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

There is no single technique to prevent HTTP request smuggling vulnerabilities. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of these vulnerabilities. Some best practices include the following:

• Reduce ambiguities in the interpretation and configuration of server protocols. This includes interpreting HTTP headers consistently across front-end and back-end servers.

• Ensure servers are communicating via the HTTP/2 protocol end-to-end as this reduces the variants of HTTP request smuggling attacks that the servers will be vulnerable to.

• Use a web application firewall (WAF) and configure it to close connections where the Transfer-Encoding or Content-Length headers are different.

For more information, please see the following guides:

• https://cwe.mitre.org/data/definitions/444.html

• https://capec.mitre.org/data/definitions/33.html