Request Smuggling

How the server handles HTTP requests

The user sends request to the front end server. This front end server forwards the request to backend servers. The backend server parses HTTP request to determine the boundaries of the request i.e to know when a request is ends and another begins.

The front end server has established connection with the backed and all requests that the front end receives are forwarded to the backed over this connection. The backend receives the HTTPS requests and differentiates different HTTP requests.

The attack occurs when the attacker modifies the boundary of its request. When the attacker request reaches the backend, backend processes single request to the front end as 2 requests at the backend. As the frontend validates the single request, the backend on recognizing 2 requests, justifies them as two requests.

The frontend and backend process the HTTP requests differently in terms of the boundaries of subsequent requests.

Also HTTP boundaries are concept of HTTP 2.0 HTTP 1.0 allows requests don't support them.

Normal Scenario, Frontend handles all requests and forwards them to backend. Backend reads and forwards them to appropriate servers

Attacker can send a request in such a way that the first request is terminated and initiate a new request on demand.

Attacker sends one request with request boundary modification. Front end considers this request as single request and forwards it to backend. Backend reads the request keeping in mind the boundaries, interpreting this request as 2 requests and forwards the same to backed server. Hence, we smuggle a second request through the frontend to the backend.

How does it arise?

This occurs when the frontend and backend differently handle the boundary of requests.

HTTP request end is specified either through "Content-Length" and "Transfer-Encoding" header.

Content-Length: Specify length of message in bytes. After bytes, subsequent bytes will be considered a new request.

"Transfer-Encoding" The header used with chunked value specifies that request message body contains chunks of data. Format: <chunk size in bytes (hex representation> chunk 0 (zero specifies end of chunk)

How does this fit in attack?

Our purpose is to smuggle a request along with a genuine request to the backend server. In order to do that, 1. Need frontend to interpret attacker request as a single request. 2. Need backed to interpret the request from frontend as multiple request. For this frontend request HTTP boundary must include genuine and smuggled request, while backend request boundary must mean two requests.

Normal HTTP 1.0 request: Order beer, get beer. Doesn't support CL and TE headers

HTTP 2.0 request: Order beer with request smuggling for sider

Next request for beer, but got cider. As cider was next in queue at the bar.

How this is achieved?

The following scenarios based on boundary headers:

  • CL.TE: the front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header to process request.

  • TE.CL: the front-end server uses the Transfer-Encoding header and the back-end server uses the Content-Length header.

  • TE.TE: the front-end and back-end servers both support the Transfer-Encoding header, but one of the servers can be induced not to process it by obfuscating the header in some way.

Testing:

PreviousBurp AcademyNextTool

Last updated

Was this helpful?