Open in app

Sign in

Write

Sign in

HTTP Request smuggling

Akileswar
2 min readNov 19, 2022

--

It is a technique of interfering with a website processing a sequence of HTTP requests.

DIfference between http1 and http2

Most of today’s web application frequently uses a chain of HTTP servers between the user and the application. users usually send requests to frontend servers such as load balancers or reverse proxies and the requests are processed by various backend servers

This vulnerability arises as the frontend server sends several requests over the same backend network connection. HTTP requests are sent one after the other and receiving server parses the HTTP request headers to identify where the headers begin and ends

how does HTTP request vulnerability arise??

HTTP provides 2 ways to specify the end of the request by content length and Transfer-encoding header

POST /search HTTP/1.1
Host: dummy.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=smuggling

This shows the example of the Content-Length header. It specifies the length of the request body.

POST /search HTTP/1.1
Host: dummy.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

b
q=smuggling
9
r=request
0

This shows the example of the Transfer-Encoding header. This sounds a bit complex but it’s really easy to understand.

The b in the response body indicates the body length of 11 (in hexadecimal notation) followed by the next request of size 9.

The request is terminated with a chunk size of 0

we use chunked encoding and the syntax for chunks is as follows.

<chunk size in hexadecimal>
<body of the request>
...
...
0 //for termination

since we have two main specifications, it is possible for a server to use both headers or any one of them and not care about the others. The HTTP specification attempts to prevent this problem by stating that if both the Content-Length and Transfer-Encoding headers are present, then the Content-Length header should be ignored.

Some servers do not support the Transfer-Encoding header in requests.
Some servers that do support the Transfer-Encoding header can be induced not to process it if the header is obfuscated in some way.

How to prevent HTTP request smuggling vulnerabilities

  • Using HTTP/2 and disabling HTTP downgrading
  • Make the front-end server normalize ambiguous requests and make the back-end server reject any that are still ambiguous, closing the TCP connection in the process
  • Never assume that requests won’t have a body. This is the fundamental cause of both CL.0 and client-side desync vulnerabilities
  • Default to discarding the connection if server-level exceptions are triggered when handling requests.
  • If you route traffic through a forward proxy, ensure that upstream HTTP/2 is enabled if possible

sources: portswigger

stay tuned for more content about how to exploit vulnerabilities of these types!!!!

Cybersecurity
Hacking
Web
Web Development
Web Security

--

--

Akileswar

Written by Akileswar

31 Followers

so called computer science student exploring the deep roots of the technology in the domain of cybersecurity

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams