HTTP request smuggling is increasingly exploited by hackers in the wild and in bug bounty programs. This post will explain the HTTP request smuggling attack with remediation tips.
HTTP request smuggling is an attack technique that abuses how two HTTP devices send requests between each other (typically a front-end proxy or a HTTP-enabled firewall and a backend server) or chaining multiple servers together with different configurations.
The attacker is able to modify a request to include two requests within the body of a singular request by telling the server where the request ends by modifying the Content-Length, or Transfer-Encoding header. By abusing these headers, an additional request can be smuggled into the first, leading to the response of the smuggled request being attached to the response of another request.
HTTP specification allows a server to specify if the request has completed by using two different methods. Using or Transfer-Encoding: chunked
The Content-Length header specifies the total size of the request body in bytes, whereas Transfer-Encoding: chunked specifies that the request body will be sent in chunks separated by newline sequences, with each chunk preceded by its size in bytes. The request body ends with a 0-length chunk.
Sending both of these headers in the same request is where the conflict can occur.
An attacker trying to access the admin page of a website which is normally blocked by a front-end server or Web Application Firewall.
example.com/admin
Requesting example.com will result in a 200 response from the server, but when requesting example.com/admin, the server responds with a 403 Forbidden response. The request would look similar to this:
POST /admin HTTP/1.1
Host: example.com
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length :11
q=givemezepasswords
The front end server which received the request accepts that the request ends with the Content-Length of 11. The front end accepts the request and the Content Security Policy or Web Application Firewall that blocks the request and returns a 403.
If we modify the request to include a smuggled request, we would insert both of the Content-Length and Transfer-Encoding headers, making sure that we include the smuggled request.
POST /admin HTTP/1.1
Host: example.com
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length :11
Transfer-Encoding: chunked
7
POST /admin HTTP/1.1
Host: foo.com
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length :11
Transfer-Encoding: chunked
q=givemezepasswords
Sending this request multiple times will cause the request to go through, with the front end interpreting the first header of Content-Length, with the back end using the Transfer-Encoding header.
This will cause the secondary request to be attached to the response of another request. Being able to see this is dependent on the amount of requests that are being sent backwards and forwards to the server. The two headers can be used interchangeably depending on the server configurations. You can use burp turbo intruder to test and see this in action.
By smuggling an additional request into one , you can bypass security controls that are in place and potentially access/modify how the back end will send a response to another request/user. This can be used from anything to fetch etc/passwd, send redirection links, or even takeover accounts which was shown on Slack .
There are numerous manual tools that have been made for testing Request Smuggling vulnerabilities, such as Burp Suite’s smuggler extension or Gwendal Le Coguic’s smuggler py .
Detectify can also help. You can test for this directly within Detectify by activating this beta feature within your scan profile settings. The findings will show you where in the application it was found, and provide remediation tips to prevent future HTTP request smuggling attempts.
Special thanks to:
More on web browser security and secure headers:
Detectify checks whether your web applications are vulnerable to HTTP request smuggling and other common attacks. Sign up for Detectify with a free trial today and check for 2000+ common vulnerabilities beyond the OWASP Top 10.
Travis Isaacson, Global Sales Engineering Team Lead at Detectify, works with security teams to utilize the latest crowdsourced vulnerability research in their automated security practices and keep web applications secure. He has a background in supply chain logistics and digital AdTech. He also dabbles in ethical hacking and bug bounties outside of office hours.
buy cc’s best cc shop
