what I learned a few weeks ago: http request smuggling

Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!

HTTP Request Smuggling is scary for a few reasons.

First, and likely the biggest reason many people don’t hear about it, is it is pretty complicated and technical. Do you know the differences in how your application level packet intepreters (cache proxies, firewall proxies…) and your web servers parse HTTP? Me either. But some people do, and I bet they can pilfer some scary stuff without many people knowing..

Second, you can poison proxy caches, pilfer credentials, and leverage other vulnerabilities like XSS using HTTP Request Smuggling without ever really needing to touch the client or have them do anything. The client really has zero ability to stop this attack (returned javascript notwithstanding).

Third, it sounds difficult to detect in logs and on the wire since the packet parsing needs to be done with awareness of what web server and proxy server is in the communication line are, and how they parse HTTP.

Palisade has a nice write-up on the issue available on both their quiz question and also their article. WatchFire has an amazing white paper on the issue that you can sign up to get (use Pookmail as your throwaway email address).

Posted in web

2 thoughts on “what I learned a few weeks ago: http request smuggling

  1. i noticed that sites like store.apple.com use akamai and that noscript requires you to turn on javascript for both sites in order for it to work. seems like a bad idea…
    but who would buy a mac pro when you can just trick gruber into giving you one for free?

  2. I really think Gruber cries himself to sleep at night…must be an interesting life to be so blindly zealous about something.
    If you happen to check back here, dre, your blog go down or something? Or did you move?

Comments are closed.