Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')| ID: 444 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
When malformed or abnormal HTTP requests are interpreted by one
or more entities in the data flow between the user and the web server, such as a
proxy or firewall, they can be interpreted inconsistently, allowing the attacker
to "smuggle" a request to one device without the other device being aware of
it.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityNon-RepudiationAccess_Control | Unexpected stateHide activitiesBypass protection
mechanism | An attacker could create a request to exploit a number of weaknesses
including 1) the request can trick the web server to associate a URL
with another URLs webpage and caching the contents of the webpage (web
cache poisoning attack), 2) the request can be structured to bypass the
firewall protection mechanisms and gain unauthorized access to a web
application, and 3) the request can invoke a script or a page that
returns client credentials (similar to a Cross Site Scripting
attack). |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Use a web server that employs a strict HTTP parsing procedure, such as
Apache (See paper in reference). | | |
| Implementation | | Use only SSL communication. | | |
| Implementation | | Terminate the client session after each request. | | |
| System Configuration | | Turn all pages to non-cacheable. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-444 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following example, a malformed HTTP request is sent to a
website that includes a proxy server and a web server with the intent of
poisoning the cache to associate one webpage with another malicious
webpage.
- In the following example, a malformed HTTP request is sent to a
website that includes a web server with a firewall with the intent of
bypassing the web server firewall to smuggle malicious code into the
system..
Observed Examples
- CVE-2005-2088 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2089 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2090 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2091 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2092 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2093 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2094 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | HTTP Request Smuggling | |
| WASC | 26 | HTTP Request Smuggling | |
References:
- Chaim Linhart Amit Klein Ronen Heled Steve Orrin .HTTP Request Smuggling.
