Week 45 - Request Smuggling

This week’s web hacking tip is on HTTP Request Smuggling! When HTTP requests are interpreted by a front-end server (usually a load balancer, reverse proxy or firewall) existing between the client and back-end server, they can be interpreted inconsistently. The back-end server could end up considering one HTTP request two separate ones. HTTP Request Smuggling occurs when the front-end server interprets the HTTP request based on the ‘Content-Length’ header, while the back-end server uses the ‘Transfer-Encoding: chunked’ header. This can cause the request we issued to the server to be pre-pended to the next incoming (victim) request to the server. Let me explain this further... HTTP requests are sent to the server one after another, and the back-end server parses the HTTP request headers to determine where one request ends and the next one begins. The ‘Content-Length’ header is straightforward and specifies the length of the message body in bytes. The ‘Transfer-Encoding: chunked’ header is more complex and specifies that the message contains chunks of data. Since HTTP provides these two different methods for specifying the length of messages, it is possible to make the front-end and back-end servers disagree about the boundaries between successive requests. The goal is to overwrite the first line of the next incoming (victim) request to the server, inserting our own GET/POST to an endpoint (see image below). In some cases, the back-end server will automatically redirect when we provide a custom URL as the endpoint (GET https[:]//attacker[.]com). This is critical since cookies may be redirected to us as well! This attack can be automated using Smuggler: