Web Security

Understanding HTTP Request Smuggling: Types, Examples, and Prevention

V-Spot Research Division13 December 202310 min read

Explores an attack technique exploiting HTTP processing inconsistencies between front-end and back-end servers. Covers CL.TE and TE.CL variants with prevention strategies.

Understanding HTTP Request Smuggling: Types, Examples, and Prevention

HTTP Request Smuggling is a complex web application attack technique that exploits inconsistencies in the way a website processes sequences of HTTP requests. It can lead to various security issues, including web cache poisoning, bypassing security controls, and cross-site scripting (XSS). Let's explore its types, examples, and how to prevent them.

Types of HTTP Request Smuggling:

CL-TE (Content-Length & Transfer-Encoding) Smuggling:

This occurs when one server uses the Content-Length header and another server uses the Transfer-Encoding: chunked header to determine the end of a request.

</li>

TE-CL Smuggling:

The opposite of CL-TE, where one server uses the Transfer-Encoding header, and another server uses the Content-Length header.

</li>

Examples of Vulnerable Requests and Responses:

CL-TE Smuggling Example:

Request:

</li>

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

0

GPOST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 6

foo

Server Response:

HTTP/1.1 200 OK
...

Explanation: The server that prioritizes Content-Length processes the request according to the Content-Length header, treating the rest of the data as a new request.

TE-CL Smuggling Example:

Request:

POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 6

5
GPOST
0

Server Response:

HTTP/1.1 200 OK
...

Explanation: The server that prioritizes Content-Length processes the request according to the Content-Length header, treating the rest of the data as a new request.

Prevention Methods:

Consistent Parsing:

Ensure all intermediary and backend systems (like caches, firewalls, and web servers) parse HTTP requests consistently.

</li>

Input Validation:

Implement strict input validation to reject ambiguous requests with multiple content-length headers or conflicting transfer-encoding and content-length headers.

</li>

Regular Updates and Testing:

Keep all web servers, proxies, and other network components updated. Regularly test for smuggling vulnerabilities.

</li>

Web Application Firewalls (WAF):

Deploy a WAF that can recognize and block smuggling attempts.

</li>

Unified Processing:

Avoid using multiple, disparate systems to process parts of HTTP requests. A unified approach reduces discrepancies in request processing.

</li>

Related Research

Web Security

Navigating the Cybersecurity Labyrinth: Strategies for Preventing Account Takeover Attacks

Read

Web Security

A Comprehensive Guide to LDAP Injection

Read

Web Security

Exploring Web Privilege Escalation: Methods and Examples

Read

Web Security

Understanding HTTP Request Smuggling: Types, Examples, and Prevention

V-Spot Research Division13 December 202310 min read

Explores an attack technique exploiting HTTP processing inconsistencies between front-end and back-end servers. Covers CL.TE and TE.CL variants with prevention strategies.

Types of HTTP Request Smuggling:

CL-TE (Content-Length & Transfer-Encoding) Smuggling:

This occurs when one server uses the Content-Length header and another server uses the Transfer-Encoding: chunked header to determine the end of a request.

</li>

TE-CL Smuggling:

The opposite of CL-TE, where one server uses the Transfer-Encoding header, and another server uses the Content-Length header.

</li>

Examples of Vulnerable Requests and Responses:

CL-TE Smuggling Example:

Request:

</li>

POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked

0

GPOST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 6

foo

Server Response:

HTTP/1.1 200 OK
...

Explanation: The server that prioritizes Content-Length processes the request according to the Content-Length header, treating the rest of the data as a new request.

TE-CL Smuggling Example:

Request:

POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 6

5
GPOST
0

Server Response:

HTTP/1.1 200 OK
...

Explanation: The server that prioritizes Content-Length processes the request according to the Content-Length header, treating the rest of the data as a new request.

Prevention Methods:

Consistent Parsing:

Ensure all intermediary and backend systems (like caches, firewalls, and web servers) parse HTTP requests consistently.

</li>

Input Validation:

Implement strict input validation to reject ambiguous requests with multiple content-length headers or conflicting transfer-encoding and content-length headers.

</li>

Regular Updates and Testing:

Keep all web servers, proxies, and other network components updated. Regularly test for smuggling vulnerabilities.

</li>

Web Application Firewalls (WAF):

Deploy a WAF that can recognize and block smuggling attempts.

</li>

Unified Processing:

Avoid using multiple, disparate systems to process parts of HTTP requests. A unified approach reduces discrepancies in request processing.

</li>

Related Research

Web Security

Navigating the Cybersecurity Labyrinth: Strategies for Preventing Account Takeover Attacks

Read

Web Security

A Comprehensive Guide to LDAP Injection

Read

Web Security

Exploring Web Privilege Escalation: Methods and Examples

Read