HTTP Request Smuggling Explained

Introduction to HTTP Request Smuggling

Before I go ahead and explain what HTTP Request Smuggling is, we should first start with a brief reminder of how the web works and how web pages are loaded in the web browser.

The Web Page Loading Process

So, here is how the process goes:

  1. A user types in a web browser the HTTP address to a web page.
  2. The web browser sends an HTTP request to a webserver asking for the requested web page.
  3. The webserver replies with an HTTP response containing the requested page.
  4. Finally, the web browser displays the received content to the user.
  1. A user types in a web browser the HTTP address to a web page.
  2. The web browser sends an HTTP request to the front-end web server asking for the requested web page.
  3. After processing the request, the front-end web server forwards it to the back-end server
  4. The webserver replies with an HTTP response containing the requested page.
  5. Finally, the web browser displays the received content to the user.

Determining the end of HTTP requests

Method 1 : Content-Length

GET / HTTP/1.1
HOST: target-website.com
Content-Length: 18
Malicious request
GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
12
Malicious request
0

Types of HTTP Request Smuggling Attacks

Now that we have seen how HTTP Request Smuggling attacks work, let’s start exploring the different forms of the attack.

CL.TE

When the front-end server uses Content-Length and the back-end server uses Transfer-Encoding, an attacker can send the following payload to smuggle the malicious request to the back-end server:

GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
Content-Length: 21
0Malicious request

TE.CL

When the front-end server uses Transfer-Encoding and the back-end server uses Content-Length, this time, an attacker can send the following payload to smuggle the malicious request to the back-end server:

GET / HTTP/1.1
HOST: target-website.com
Transfer-Encoding: chunked
Content-Length: 4
12
Malicious request
0

TE.TE

When both servers use Transfer-Encoding, they can differ in the way they interpret the header.

Transfer-Encoding: chunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding[Tab]:chunked

Preventing HTTP Request Smuggling Attacks

You can prevent HTTP request smuggling by following certain good practices.

  • Use HTTP/2 protocol for communications between front-end and back-end servers.
  • The Back-end server should reject all ambiguous requests.
  • When possible, use the same web server solution for both the front-end and back-end servers (Apache, Nginx, IIS…). Of course, this won’t always be possible as front-end servers are often hardware appliances that do not offer options for customization.
  • Use a Web Application Firewall (WAF) that provides a protection against HTTP Request Smuggling attacks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
A. Boukar

A. Boukar

A cybersecurity enthusiast, and founder @ Patchthenet.com