[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

ID: 444Date: (C)2012-05-14   (M)2017-11-09
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Non-Repudiation
Access_Control
 
Unexpected state
Hide activities
Bypass protection mechanism
 
An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Use a web server that employs a strict HTTP parsing procedure, such as Apache (See paper in reference).
 
  
Implementation
 
 Use only SSL communication.
 
  
Implementation
 
 Terminate the client session after each request.
 
  
System Configuration
 
 Turn all pages to non-cacheable.
 
  

Relationships

Related CWETypeViewChain
CWE-444 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.
  2. In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system..

Observed Examples

  1. CVE-2005-2088 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  2. CVE-2005-2089 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  3. CVE-2005-2090 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  4. CVE-2005-2091 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  5. CVE-2005-2092 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  6. CVE-2005-2093 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  7. CVE-2005-2094 : Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  HTTP Request Smuggling
 
 
WASC 26
 
HTTP Request Smuggling
 
 

References:

  1. Chaim Linhart Amit Klein Ronen Heled Steve Orrin .HTTP Request Smuggling.

© 2013 SecPod Technologies