Input Validation / HTTP Request Smuggling
Description
HTTP Request Smuggling is a type of web application vulnerability that allows an attacker to exploit an application's trust in a client by sending multiple HTTP requests as part of a single original request to a web server. There are two types of vulnerabilities where additional requests may be injected.
- The first kind of vulnerability (CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')) occurs when the web application improperly encodes or does not filter special control characters such as carriage return (CR) and line feed (LF), allowing an attacker to inject additional headers or prematurely end a HTTP request and start another one.
- The second kind of vulnerability (CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')) occurs when multiple system components (e.g. a proxy/load balancer and a backend server) are involved in the processing of the HTTP request, the component are interpreting HTTP requests inconsistently, causing different HTTP requests to be seen by them. This can happen for example if both the
Content-LengthandTransfer-Encoding: chunkedheaders are used.
The vulnerability may be exploited to bypass authentication or access control mechanisms, and gain access to an internal network.
Risk
HTTP request smuggling can pose a significant risk to an organization, as it can allow an attacker to gain unauthorized access to internal networks and otherwise non-exposed backend servers. Furthermore, in cloud environments an attacker may potentially access standard endpoints, e.g. for configuration retrieval.
Solution
The best way to prevent HTTP request smuggling is to ensure that all requests sent to the web server are properly sanitized and validated. This can be done by ensuring that all input is properly sanitized, HTTP requests are normalized, and by using a web application firewall to block requests that contain suspicious parameters or headers. Additionally, it is important to update web applications regularly to ensure they are not vulnerable to this type of attack.