English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CWE-444 Detail

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Incomplete
2006-07-19 00:00 +00:00
2023-06-29 00:00 +00:00
CWE Mitre.org

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Extended Description

HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL.

The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it.

This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Web Based (Undetermined)

Common Consequences

Scope Impact Likelihood
Integrity
Non-Repudiation
Access Control		Unexpected State, Hide Activities, Bypass Protection Mechanism

Note: An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the message can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).

Observed Examples

Reference Description
CVE-2022-24766SSL/TLS-capable proxy allows HTTP smuggling when used in tandem with HTTP/1.0 services, due to inconsistent interpretation and input sanitization of HTTP messages within the body of another message
CVE-2021-37147Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending"
CVE-2020-8287Node.js platform allows request smuggling via two Transfer-Encoding headers
CVE-2006-6276Web servers allow request smuggling via inconsistent HTTP headers.
CVE-2005-2088HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header
CVE-2005-2089HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header

Potential Mitigations

Phases : Implementation
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Phases : Implementation
Use only SSL communication.
Phases : Implementation
Terminate the client session after each request.
Phases : System Configuration
Turn all pages to non-cacheable.

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-273 HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.
CAPEC-33 HTTP Request Smuggling

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

Notes

Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).

References

REF-433

HTTP Request Smuggling
Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin.
https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

REF-1273

HTTP Response Smuggling
Robert Auger.
http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling

REF-1274

HTTP Request Smuggling: Complete Guide to Attack Types and Prevention
Dzevad Alibegovic.
https://brightsec.com/blog/http-request-smuggling-hrs/

REF-1275

A Pentester's Guide to HTTP Request Smuggling
Busra Demir.
https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling

REF-1276

HTTP Desync Attacks in the Wild and How to Defend Against Them
Edi Kogan, Daniel Kerman.
https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/

REF-1277

HTTP Desync Attacks: Request Smuggling Reborn
James Kettle.
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

REF-1278

HTTP request smuggling
PortSwigger.
https://portswigger.net/web-security/request-smuggling

Submission

Name Organization Date Date Release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Name, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-05-27 +00:00 updated Name, Related_Attack_Patterns
CWE Content Team MITRE 2010-02-16 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2014-06-23 +00:00 updated Other_Notes, Potential_Mitigations, Theoretical_Notes
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-04-28 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2022-06-28 +00:00 Extended the abstraction of this entry to include both HTTP request and response smuggling.
CWE Content Team MITRE 2022-06-28 +00:00 updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, References, Taxonomy_Mappings
CWE Content Team MITRE 2022-10-13 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.