Exploiting HTTP Request Smuggling

With a real-world example:

Image for post
Image for post

Http-Request Smuggling:

Multiple designed HTTP request where involved entities see different request. Smuggle requests for one device without the knowledge of other device; manipulate request/response sequencing.

Ex: In infrastructure, we have load balancer and webserver and load balancer sends multiple requests to the webserver. Each request has a different content length. So if anyhow attacker able to execute an unauthorized request between load balancer to the webserver.

Http-request-Smuggling 2 HTTP header places a very imp role.

· Content-Length: It indicates the size of the request body. Simply whatever data send in POST request comes under Content length.

· Transfer encoding: Transfer encoding used to bypass WAF attack and we implement “Transfer-Encoding” in chunked form, it means we transfer the body of payload in chunks. It will make our take to bypass WAF or manipulation of the server easy. Chunk data will be transferred in different length of buffers, due to which it makes connection continuous until whole payload shifted.

So whenever attacker able to manipulate the frontend and backend limit of an HTTP request. Http-request-Smuggling enables many other attacks also like:

· Web cache poisoning: By changing entries in the cache, so existing page A cache to page B

· Session hijacking: It happens where the client uses a proxy server and share credentials with the webserver.

· Bypass web-application firewall protection: WAF does not have any rule for smuggled requests.

Some technique helps the attacker to perform the above attacks.

· Double the content-length header: BY sending the content-length header 2 times in a request, we can bypass content length restrictions between the frontend and backend server. So first content-length headers are ignored and second content-length header processed and this will help to smuggle the request.

· Content length, transfer-encoding: So frontend and backend server have different priorities regarding content length and transfer-encoding header. Different devices have different priorities. Therefore, if content length has more priority over encoding, so back end server will process the request at the end char 0. As a result, 404 page not found request treated as a separate request.

Working:

Image for post
Image for post

· Attacker craft a request whose content length is 0, AND transfer encoding is set to chucked and in body, he mentioned request to another endpoint after giving a line break.

· When the front end server saw the request and saw content length 0, it will understand multiple requests coming beside a single request. Now the middleware thinks that since data is coming in chunks and the content length of the first request is 0, the body is data of another request.

· Backend server process smuggles request and the endpoint which is appended in the request.

Exploitation:

In it, we have to smuggle request, so next request served by backend server can use GPOST method and out front, end server only accepts only GET and POST method.

Intercepted request look like this.

Image for post
Image for post

As I mentioned earlier front end server only accepts GET and POST method. As I modified GET into HEAD and forwards the requests, it gave me an error.

Image for post
Image for post

So I will update get intercepted request in POST as I have to send some content to in the body of the request to smuggle the request. In the above GET request, I have to added one header i.e. “Transfer-Encoding”.

Image for post
Image for post

Now we add body to this updated request. So, I am going to add “0” and “G”.

· “0”: It shows the content length of the first request is zero. Due to this, we can send our 2 request in chunks.

· “G”: As we need GPOST method in response.

1’st request: After1 request from the server we got 200 Ok, as it process first chunks of length 0 it treated as a finish request

Image for post
Image for post

2’st request: But the full content length in the request is 10, we forward same request 2 times. So, the remaining content length are un processed and back end server will treat them as a new request. So request processed and back-end server appears to use the “GPOST” method.

Image for post
Image for post

Remediation:

It is a little tricky and depends on the business needs of customers.

· Whenever a request have content length and transfer encoding, both in request header try to block that request.

· If blocking for both 2 headers not possible try to give more priority to transfer encoding as compare to content length.

· Parsing and sanitation of transfer encoding should be handled more accurately.

· Implement WAF in the infrastructure so the rate can be reduced, it cannot totally remove totally but try to reduce in the count.

· Understand the infrastructure device's behavior so that we can avoid smuggling requests.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store