CWE-444 Detail

CWE-444

Name

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Status

Incomplete

Published

2006-07-19
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

CWE Description

HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL.

The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it.

This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Web Based (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Integrity Non-Repudiation Access Control	Unexpected State, Hide Activities, Bypass Protection Mechanism Note: An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the message can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).

Observed Examples

References	Description
CVE-2022-24766	SSL/TLS-capable proxy allows HTTP smuggling when used in tandem with HTTP/1.0 services, due to inconsistent interpretation and input sanitization of HTTP messages within the body of another message
CVE-2021-37147	Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending"
CVE-2020-8287	Node.js platform allows request smuggling via two Transfer-Encoding headers
CVE-2006-6276	Web servers allow request smuggling via inconsistent HTTP headers.
CVE-2005-2088	HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header
CVE-2005-2089	HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header

Potential Mitigations

Phases : Implementation
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Phases : Implementation
Use only SSL communication.
Phases : Implementation
Terminate the client session after each request.
Phases : System Configuration
Turn all pages to non-cacheable.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-273	HTTP Response Smuggling An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server). See CanPrecede relationships for possible consequences.
CAPEC-33	HTTP Request Smuggling An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences.

NotesNotes

Request smuggling can be performed due to a multiple interpretation error, where the target is an intermediary or monitor, via a consistency manipulation (Transfer-Encoding and Content-Length headers).

References

REF-433

HTTP Request Smuggling
Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin.
https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

REF-1273

HTTP Response Smuggling
Robert Auger.
http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling

REF-1274

HTTP Request Smuggling: Complete Guide to Attack Types and Prevention
Dzevad Alibegovic.
https://brightsec.com/blog/http-request-smuggling-hrs/

REF-1275

A Pentester's Guide to HTTP Request Smuggling
Busra Demir.
https://www.cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling

REF-1276

HTTP Desync Attacks in the Wild and How to Defend Against Them
Edi Kogan, Daniel Kerman.
https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/

REF-1277

HTTP Desync Attacks: Request Smuggling Reborn
James Kettle.
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

REF-1278

HTTP request smuggling
PortSwigger.
https://portswigger.net/web-security/request-smuggling

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Name, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2009-05-27 +00:00	updated Name, Related_Attack_Patterns
CWE Content Team	MITRE	2010-02-16 +00:00	updated Taxonomy_Mappings
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team	MITRE	2014-06-23 +00:00	updated Other_Notes, Potential_Mitigations, Theoretical_Notes
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms
CWE Content Team	MITRE	2020-02-24 +00:00	updated Applicable_Platforms, Relationships
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2022-04-28 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2022-06-28 +00:00	Extended the abstraction of this entry to include both HTTP request and response smuggling.
CWE Content Team	MITRE	2022-06-28 +00:00	updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, References, Taxonomy_Mappings
CWE Content Team	MITRE	2022-10-13 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes