Name |
HTTP Response Smuggling |
|
Likelyhood of attack |
Typical severity |
Medium |
High |
|
Summary |
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
See CanPrecede relationships for possible consequences.
Modification/manipulation of HTTP message headers, request-line and body parameters to disrupt and interfere in the interpretation and parsing of HTTP message lengths/boundaries for consecutive HTTP messages by HTTP agents in a HTTP chain or network path. |
Prerequisites |
A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers). Differences in the way the two HTTP agents parse and interpret HTTP responses and its headers. HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Exploit |
[Perform HTTP Response Smuggling attack] Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences. |
- Leverage techniques identified in the Experiment Phase.
|
2 |
Experiment |
[Cause differential HTTP responses by experimenting with identified HTTP Response vulnerabilities] The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP response. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack. |
- Continue the monitoring of HTTP traffic.
-
Inject additional HTTP headers to utilize various combinations of HTTP Headers within a single HTTP message such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded message or data in the body of the original message are unprocessed and treated as part of subsequent messages by the intended target HTTP agent.
From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences.
For CL;TE and TE;CL HTTP headers combination, the first HTTP agent, in the HTTP message path that receives the HTTP message, takes precedence or only processes the one header but not the other, while the second/final HTTP agent processes the opposite header allowing for embedded HTTP message to be ignored and smuggled to the intended target HTTP agent.
For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP messages to be smuggled. See Mitigations for details.
-
Construct a very large HTTP message via multiple Content-Length headers of various data lengths that can potentially cause subsequent messages to be ignored by an intermediary HTTP agent (e.g., firewall) and/or eventually parsed separately by the target HTTP agent.
Note that most modern HTTP infrastructure reject HTTP messages with multiple Content-Length headers.
- Monitor HTTP traffic using a tool such as a Network Protocol Analyzer.
|
|
Solutions | Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies. Configuration: front-end HTTP agents notice ambiguous requests. Configuration: back-end HTTP agents reject ambiguous requests and close the network connection. Configuration: Disable reuse of back-end connections. Configuration: Use HTTP/2 for back-end connections. Configuration: Use the same web server software for front-end and back-end server. Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses. Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both. Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers. Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:
Headers with no space before the value “chunked”
Headers with extra spaces
Headers beginning with trailing characters
Headers providing a value “chunk” instead of “chunked” (the server normalizes this as chunked encoding)
Headers with multiple spaces before the value “chunked”
Headers with quoted values (whether single or double quotations)
Headers with CRLF characters before the value “chunked”
Values with invalid characters Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers) Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process. Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-436 |
Interpretation Conflict |
CWE-444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-33 |
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
Modification/manipulation of HTTP message headers, request-line and body parameters to disrupt and interfere in the interpretation and parsing of HTTP message lengths/boundaries for consecutive HTTP messages by HTTP agents in a HTTP chain or network path. |
CAPEC-63 |
An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect. |
CAPEC-115 |
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. |
CAPEC-141 |
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value. |
CAPEC-148 |
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes. |
CAPEC-154 |
An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals. |
CAPEC-220 |
An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. |
CAPEC-593 |
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application. |
|
Taxonomy: WASC |
Entry ID
|
Entry Name
|
27 |
HTTP Response Smuggling |
|