HTTP Request Smuggling Explained

Introduction to HTTP Request Smuggling

The Web Page Loading Process

  1. A user types in a web browser the HTTP address to a web page.
  2. The web browser sends an HTTP request to a webserver asking for the requested web page.
  3. The webserver replies with an HTTP response containing the requested page.
  4. Finally, the web browser displays the received content to the user.
  1. A user types in a web browser the HTTP address to a web page.
  2. The web browser sends an HTTP request to the front-end web server asking for the requested web page.
  3. After processing the request, the front-end web server forwards it to the back-end server
  4. The webserver replies with an HTTP response containing the requested page.
  5. Finally, the web browser displays the received content to the user.

Determining the end of HTTP requests

GET / HTTP/1.1
HOST: target-website.com
Content-Length: 18
Malicious request
GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
12
Malicious request
0

Types of HTTP Request Smuggling Attacks

CL.TE

GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
Content-Length: 21
0Malicious request

TE.CL

GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
Content-Length: 4
12
Malicious request
0

TE.TE

Transfer-Encoding: chunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding[Tab]:chunked

Preventing HTTP Request Smuggling Attacks

  • Use HTTP/2 protocol for communications between front-end and back-end servers.
  • The Back-end server should reject all ambiguous requests.
  • When possible, use the same web server solution for both the front-end and back-end servers (Apache, Nginx, IIS…). Of course, this won’t always be possible as front-end servers are often hardware appliances that do not offer options for customization.
  • Use a Web Application Firewall (WAF) that provides a protection against HTTP Request Smuggling attacks.

--

--

--

A cybersecurity enthusiast, and founder @ Patchthenet.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Sin7Y Tech Review (23): Verkle Tree For ETH

Top 5 Ways To Secure Home Windows

What is the best VPN service one can use?

How to Protect Yourself From Online Scammers

{UPDATE} El?zetes rend?rségi parkolás Hack Free Resources Generator

{UPDATE} Modern Ludo Hack Free Resources Generator

Securing Lichess one move at a time

Review of The Pentester Blueprint and The Cybersecurity Blue Team Toolkit Books

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
A. Boukar

A. Boukar

A cybersecurity enthusiast, and founder @ Patchthenet.com

More from Medium

Port Swigger File Upload Vulnerability-Lab 6

THM Write-Up: Walking an Application

Sync Photos to Desktop Using Termux

SQL injection Union attack: Finding columns with a useful data type.