Friday, June 10, 2005
HTTP Request Smuggling
Here is the executive summary from their whitepaper:
HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks – web cache poisoning, session hijacking, cross-site scripting and most importantly, the ability to bypass web application firewall protection. It sends multiple specially crafted HTTP requests that cause the two attacked entities to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it. In the web cache poisoning attack, this smuggled request will trick the cache server into unintentionally associating a URL to another URL’s page (content), and caching this content for the URL. In the web application firewall attack, the smuggled request can be a worm (like Nimda or Code Red) or buffer overflow attack targeting the web server. Finally, because HTTP Request Smuggling enables the attacker to insert or sneak a request into the flow, it allows the attacker to manipulate the web server’s request/response sequencing which can allow for credential hijacking and other malicious outcomes.
Copyright Anand Jain 2004, 2005. All rights