HTTP Request Smuggling (HRS)
WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).
What is HTTP Request Smuggling?
HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices. Indeed, whenever HTTP requests originating from a client pass through more than one entity that parses them, there is a good chance that these entities are vulnerable to HRS. For the purposes of this paper, we demonstrate HRS in three common settings: (i) a web cache (proxy) server deployed between the client and the web server (W/S); (ii) a firewall (F/W) protecting the W/S; and (iii) a web proxy server (not necessarily caching) deployed between the client and the W/S. HRS sends multiple, specially crafted HTTP requests that cause the two attacked devices to see different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.
To be effective HRS does not require the existence of an application vulnerability, such as a vulnerable asp page on the W/S. Instead, it is capable of exploiting small discrepancies in the way HTTP devices deal with illegitimate or borderline requests. As a result, HRS can be used successfully in significantly more sites than many other attacks.
What sort of damage an a HRS attack do?
an attacker can launch a smuggling attack in order to poison the cache server. Typically, the attacker can change the entries in the cache, so that an existing (and cacheable) page A would be cached under URL B. In other words, a client requesting page B would be served with the contents of page A
Via: Ivan Ristic
- ServerTokens Prod, ServerSignature Off - July 25, 2005
- HTTP Strict Transport Security - September 17, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- Secure Browsing Mode - June 28, 2006
- Cross Site Request Forgery (CSRF) Attacks - May 11, 2005
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained