HTTP Request Smuggling Explained

Introduction to HTTP Request Smuggling

The Web Page Loading Process

  1. A user types in a web browser the HTTP address to a web page.
  2. The web browser sends an HTTP request to a webserver asking for the requested web page.
  3. The webserver replies with an HTTP response containing the requested page.
  4. Finally, the web browser displays the received content to the user.
  1. A user types in a web browser the HTTP address to a web page.
  2. The web browser sends an HTTP request to the front-end web server asking for the requested web page.
  3. After processing the request, the front-end web server forwards it to the back-end server
  4. The webserver replies with an HTTP response containing the requested page.
  5. Finally, the web browser displays the received content to the user.

Determining the end of HTTP requests

GET / HTTP/1.1
HOST: target-website.com
Content-Length: 18
Malicious request
GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
12
Malicious request
0

Types of HTTP Request Smuggling Attacks

CL.TE

GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
Content-Length: 21
0Malicious request

TE.CL

GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
Content-Length: 4
12
Malicious request
0

TE.TE

Transfer-Encoding: chunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding[Tab]:chunked

Preventing HTTP Request Smuggling Attacks

  • Use HTTP/2 protocol for communications between front-end and back-end servers.
  • The Back-end server should reject all ambiguous requests.
  • When possible, use the same web server solution for both the front-end and back-end servers (Apache, Nginx, IIS…). Of course, this won’t always be possible as front-end servers are often hardware appliances that do not offer options for customization.
  • Use a Web Application Firewall (WAF) that provides a protection against HTTP Request Smuggling attacks.

--

--

--

A cybersecurity enthusiast, and founder @ Patchthenet.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Healthcare VulnHub Writeup

DeFireX exploit

{UPDATE} Car Garage Tycoon Hack Free Resources Generator

How to SSH without a password

Healthcare is the New Gold Mine | Patient Records Are the Richest Targets

DID+Gamification: Litentry Will Provide Aggregated Decentralized Identity Gateway for Survivors in…

{UPDATE} Triangle!! Hack Free Resources Generator

Can Disposable Email Addresses Be Traced?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
A. Boukar

A. Boukar

A cybersecurity enthusiast, and founder @ Patchthenet.com

More from Medium

#6 NETWORK MEDIA TYPES: THE NETWORKING SERIES

A Summary Of Fancy Attack Injection Methods — Part 3

DefCamp CTF 2021–22

SQL injection UNION attack, retrieving multiple values in a single column