Recent research has uncovered four new variants of HTTP request smuggling attacks that pose threats to a range of widely used web and HTTP proxy servers. Amit Klein, Vice President of Security Research at SafeBreach, shared these findings at the Black Hat security conference, emphasizing that vulnerabilities in web servers and proxies remain exploitable even years after being documented.
HTTP request smuggling, also known as HTTP Desyncing, is a technique that disrupts how web servers manage sequences of HTTP requests from multiple users. This technique typically exploits differences in the way front-end and back-end servers interpret HTTP request boundaries. Such discrepancies allow an adversary to “smuggle” an ambiguous request alongside a valid one, leading to potential security breaches.
This desynchronization opens up various attack vectors, enabling attackers to hijack user credentials, manipulate responses, and extract sensitive data from other users’ requests before exfiltrating it to their own controlled servers. The technique was initially demonstrated in 2005 by a team from Watchfire, including Klein, who noted that more sophisticated evasions have emerged in recent years, broadening the attack surface and enabling attackers to exploit internal APIs, corrupt web caches, and compromise the login pages of popular applications.
The latest variants highlighted by Klein employ a mix of existing web server technologies, such as Microsoft IIS, Apache, and Nginx, in tandem with proxy servers like Squid and HAProxy. Klein’s findings reveal specific ways in which these systems can be manipulated to create smuggling vulnerabilities.
One notable variant involves servers processing HTTP requests with multiple Content-Length headers differently, leading to inconsistent interpretations of request boundaries. For example, while Abyss may accept a second Content-Length header, Squid defaults to the first, creating opportunities for exploitation. Another variant capitalizes on timing discrepancies, where Abyss delays processing requests while ignoring parts of the original body, thus mismatching what Squid interprets.
Additionally, Klein identified an advanced method designed to bypass defenses set by the OWASP ModSecurity Core Rule Set by leveraging HTTP/1.2 features. This allows attackers to craft malicious payloads that trigger security mechanisms while still allowing unimpeded access.
In response to these findings, vendors and security organizations have patched affected systems, with updates released for Abyss and Squid servers as well as the OWASP CRS. Klein emphasized the necessity for standardized normalization processes for outbound HTTP requests from proxy servers, alongside a call for more robust and versatile web application firewalls that can adequately defend against HTTP request smuggling attacks. Although ModSecurity exists as an open-source solution, Klein expressed concerns over its limitations and lack of comprehensive protection across all server types.
To enhance security, Klein has released a C++-based library designed to ensure that all incoming HTTP requests adhere to strict formatting rules, effectively combatting these smuggling attacks. For access to this resource, one can consult GitHub.
This research emphasizes the ongoing vulnerabilities that web servers and proxies face, as well as the critical need for preventative measures and timely updates within web infrastructure. The findings serve as a stark reminder for business owners about the importance of vigilance and robust security practices in mitigating cybersecurity risks.
