Pete Freitag Pete Freitag

HTTP Request Smuggling (HRS)


WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).

What is HTTP Request Smuggling?

HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices. Indeed, whenever HTTP requests originating from a client pass through more than one entity that parses them, there is a good chance that these entities are vulnerable to HRS. For the purposes of this paper, we demonstrate HRS in three common settings: (i) a web cache (proxy) server deployed between the client and the web server (W/S); (ii) a firewall (F/W) protecting the W/S; and (iii) a web proxy server (not necessarily caching) deployed between the client and the W/S. HRS sends multiple, specially crafted HTTP requests that cause the two attacked devices to see different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.

To be effective HRS does not require the existence of an application vulnerability, such as a vulnerable asp page on the W/S. Instead, it is capable of exploiting small discrepancies in the way HTTP devices deal with illegitimate or borderline requests. As a result, HRS can be used successfully in significantly more sites than many other attacks.

What sort of damage an a HRS attack do?

an attacker can launch a smuggling attack in order to poison the cache server. Typically, the attacker can change the entries in the cache, so that an existing (and cacheable) page A would be cached under URL B. In other words, a client requesting page B would be served with the contents of page A

Via: Ivan Ristic

Like this? Follow me ↯

HTTP Request Smuggling (HRS) was first published on June 10, 2005.

If you like reading about security, http, hrs, servers, or attacks then you might also like:

Want Security Advisories via Email?

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).