Exploiting HTTP Request Smuggling
With a real-world example:
Http-Request Smuggling:
Multiple designed HTTP request where involved entities see different request. Smuggle requests for one device without the knowledge of other device; manipulate request/response sequencing.
Ex: In infrastructure, we have load balancer and webserver and load balancer sends multiple requests to the webserver. Each request has a different content length. So if anyhow attacker able to execute an unauthorized request between load balancer to the webserver.
Http-request-Smuggling 2 HTTP header places a very imp role.
· Content-Length: It indicates the size of the request body. Simply whatever data send in POST request comes under Content length.
· Transfer encoding: Transfer encoding used to bypass WAF attack and we implement “Transfer-Encoding” in chunked form, it means we transfer the body of payload in chunks. It will make our take to bypass WAF or manipulation of the server easy. Chunk data will be transferred in different length of buffers, due to which it makes connection continuous until whole payload shifted.
So whenever attacker able to manipulate the frontend and backend limit of an HTTP request. Http-request-Smuggling enables many other attacks also like:
· Web cache poisoning: By changing entries in the cache, so existing page A cache to page B
· Session hijacking: It happens where the client uses a proxy server and share credentials with the webserver.
· Bypass web-application firewall protection: WAF does not have any rule for smuggled requests.
Some technique helps the attacker to perform the above attacks.
· Double the content-length header: BY sending the content-length header 2 times in a request, we can bypass content length restrictions between the frontend and backend server. So first content-length headers are ignored and second content-length header processed and this will help to smuggle the request.
· Content length, transfer-encoding: So frontend and backend server have different priorities regarding content length and transfer-encoding header. Different devices have different priorities. Therefore, if content length has more priority over encoding, so back end server will process the request at the end char 0. As a result, 404 page not found request treated as a separate request.
Working:
· Attacker craft a request whose content length is 0, AND transfer encoding is set to chucked and in body, he mentioned request to another endpoint after giving a line break.
· When the front end server saw the request and saw content length 0, it will understand multiple requests coming beside a single request. Now the middleware thinks that since data is coming in chunks and the content length of the first request is 0, the body is data of another request.
· Backend server process smuggles request and the endpoint which is appended in the request.
Exploitation:
In it, we have to smuggle request, so next request served by backend server can use GPOST method and out front, end server only accepts only GET and POST method.
Intercepted request look like this.
As I mentioned earlier front end server only accepts GET and POST method. As I modified GET into HEAD and forwards the requests, it gave me an error.
So I will update get intercepted request in POST as I have to send some content to in the body of the request to smuggle the request. In the above GET request, I have to added one header i.e. “Transfer-Encoding”.
Now we add body to this updated request. So, I am going to add “0” and “G”.
· “0”: It shows the content length of the first request is zero. Due to this, we can send our 2 request in chunks.
· “G”: As we need GPOST method in response.
1’st request: After1 request from the server we got 200 Ok, as it process first chunks of length 0 it treated as a finish request
2’st request: But the full content length in the request is 10, we forward same request 2 times. So, the remaining content length are un processed and back end server will treat them as a new request. So request processed and back-end server appears to use the “GPOST” method.
Remediation:
It is a little tricky and depends on the business needs of customers.
· Whenever a request have content length and transfer encoding, both in request header try to block that request.
· If blocking for both 2 headers not possible try to give more priority to transfer encoding as compare to content length.
· Parsing and sanitation of transfer encoding should be handled more accurately.
· Implement WAF in the infrastructure so the rate can be reduced, it cannot totally remove totally but try to reduce in the count.
· Understand the infrastructure device's behavior so that we can avoid smuggling requests.
