HTTP Request Smuggling Attack

TL;DR

The provided HTTPS requests indicate an HTTP request smuggling attack. This happens when attackers exploit discrepancies in how different servers (front-end and back-end) interpret HTTP requests, allowing them to inject malicious requests that bypass security controls.

What is HTTP Request Smuggling?

HTTP request smuggling occurs because of differences in the way web servers and proxies parse HTTP requests. Specifically, it exploits how they handle:

• Content-Length: Specifies the size of the body in bytes.
• Transfer-Encoding: Used for chunked encoding (sending data in pieces).

If a front-end server and back-end server disagree on which header to use, an attacker can craft a request that is interpreted differently by each server.

Identifying the Attack

Based on the provided requests (which you haven’t given me, but I will assume show inconsistencies in Content-Length and Transfer-Encoding), here’s how to identify it:

1. Conflicting Headers: Look for both Content-Length and Transfer-Encoding headers present in the same request.
2. Discrepancies in Parsing: The front-end server might process one header, while the back-end processes another.
3. Unexpected Responses: Observe unusual HTTP responses or errors that don’t align with expected behaviour.

Steps to Confirm and Mitigate

1. Review Logs: Examine web server logs for anomalies, especially around the time of suspicious requests. Look for multiple requests being processed as one, or unexpected request paths.
2. Normalise HTTP Parsing: The most effective mitigation is to ensure consistent HTTP parsing across all servers and proxies in your infrastructure.
   • Disable Transfer-Encoding: If possible, disable Transfer-Encoding: chunked on the front-end server.
   • Enforce Strict Content-Length: If you must use chunked encoding, ensure both servers correctly handle it.
3. HTTP/2 Upgrade: Consider upgrading to HTTP/2, which has built-in protections against request smuggling.
4. Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to detect and block HTTP request smuggling attacks.

   # Example WAF rule (conceptual) - check for conflicting headers
   if (http.content_length != null && http.transfer_encoding != null) {
     block();
   }
   

5. Patch Servers: Keep your web servers and proxies up-to-date with the latest security patches. Vulnerabilities in HTTP parsing are often targeted by attackers.

   For example, Apache versions before 2.4.50 were vulnerable to certain smuggling attacks.

6. Request Validation: Implement strict request validation on the back-end server to ensure requests conform to expected formats and paths.

Example Attack Scenario

An attacker sends a request like this:

POST / HTTP/1.1
Host: vulnerable.example.com
Content-Length: 44
Transfer-Encoding: chunked

0

X-Injected: malicious_payload

The front-end server might process the Content-Length header, while the back-end processes the Transfer-Encoding header. This allows the attacker to inject a request (X-Injected) that is processed by the back-end as part of a subsequent legitimate request.

Further Resources

• PortSwigger Web Security Academy: HTTP Request Smuggling