CAPEC-33
00h00 +00:00
00h00 +00:00
Descriptions CAPEC
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
Informations CAPEC
Execution Flow
[Survey network to identify target] The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
- Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.
[Identify vulnerabilities in targeted HTTP infrastructure and technologies] The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.
[Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities] The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.
- Continue the monitoring of HTTP traffic.
-
Utilize various combinations of HTTP Headers within a single HTTP Request such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded requests or data in the body of the original request are unprocessed and treated as part of subsequent requests by the intended target HTTP agent.
From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences.
- For CL;TE and TE;CL HTTP header combinations, the first HTTP agent, in the HTTP message path that receives the HTTP request, takes precedence or only processes one header but not the other, while the second/final HTTP agent processes the opposite header, allowing for embedded HTTP requests to be ignored and smuggled to the intended target HTTP agent.
- For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation (see Mitigations for details) of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP requests to be smuggled. .
-
Construct a very large HTTP request using multiple Content-Length headers of various data lengths that can potentially cause subsequent requests to be ignored by an intermediary HTTP agent (firewall) and/or eventually parsed separately by the target HTTP agent (web server).
Note that most modern HTTP infrastructure reject HTTP requests with multiple Content-Length headers.
- Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.
[Perform HTTP Request Smuggling attack] Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
- Leverage techniques identified in the Experiment Phase.
Prerequisites
An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
Skills Required
Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.
Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.
Resources Required
Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses.Mitigations
Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.Configuration: front-end HTTP agents notice ambiguous requests.
Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.
Configuration: Disable reuse of back-end connections.
Configuration: Use HTTP/2 for back-end connections.
Configuration: Use the same web server software for front-end and back-end server.
Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.
Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.
Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.
Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:
- Headers with no space before the value “chunked”
- Headers with extra spaces
- Headers beginning with trailing characters
- Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)
- Headers with multiple spaces before the value “chunked”
- Headers with quoted values (whether single or double quotations)
- Headers with CRLF characters before the value “chunked”
- Values with invalid characters
Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)
Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.
Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.
Related Weaknesses
| Weakness Name | |
|---|---|
CWE-444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
References
REF-38
HTTP 1.1 Specification (RFC 2616)http://www.ietf.org/rfc/rfc2616.txt
REF-117
HTTP Response Smugglinghttp://www.securiteam.com/securityreviews/5CP0L0AHPC.html
REF-617
OWASP Web Security Testing Guidehttps://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html
REF-672
HTTP Request SmugglingRobert Auger.
http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling
REF-673
HTTP Request Smuggling: Complete Guide to Attack Types and PreventionDzevad Alibegovic.
https://www.neuralegion.com/blog/http-request-smuggling-hrs/
REF-674
A Pentester’s Guide to HTTP Request SmugglingBusra Demir.
https://cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling
REF-678
HTTP Desync Attacks in the Wild and How to Defend Against ThemEdi Kogan, Daniel Kerman.
https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/
REF-681
HTTP Desync Attacks: Request Smuggling RebornJames Kettle.
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
REF-682
HTTP request smugglinghttps://portswigger.net/web-security/request-smuggling
REF-683
Finding HTTP request smuggling vulnerabilitieshttps://portswigger.net/web-security/request-smuggling/finding
REF-684
Exploiting HTTP request smuggling vulnerabilitieshttps://portswigger.net/web-security/request-smuggling/exploiting
Submission
| Name | Organization | Date | Date release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns, Resources_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated References | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated References, Taxonomy_Mappings | |
| CAPEC Content Team | The MITRE Corporation | Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Alternate_Terms, Description, Extended_Description |
