Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!
HTTP Request Smuggling is scary for a few reasons.
First, and likely the biggest reason many people don’t hear about it, is it is pretty complicated and technical. Do you know the differences in how your application level packet intepreters (cache proxies, firewall proxies…) and your web servers parse HTTP? Me either. But some people do, and I bet they can pilfer some scary stuff without many people knowing..
Third, it sounds difficult to detect in logs and on the wire since the packet parsing needs to be done with awareness of what web server and proxy server is in the communication line are, and how they parse HTTP.
Palisade has a nice write-up on the issue available on both their quiz question and also their article. WatchFire has an amazing white paper on the issue that you can sign up to get (use Pookmail as your throwaway email address).