Warning: 4 new ways of HTTP request smuggling attacks

New variants of HTTP request smuggling attacks require new defenses and has many challenges, as experts demonstrate

HTTP request smuggling attacks have more variants. HTTP Request Smuggling or HTTP Desyncing^[1] is the method of a cyber attack invented back in 2005. This method allows for various attackers to work against commercial off-the-shelf web servers and HTTP proxy servers.^[2] Attacks can be used to send ambiguous requests appended to the legitimate user request and exploit hijacking operations, exfiltrate credentials, steal data directly from victims, control the server, and other functions.^[3]

A security researcher at SafeBreach presented the newest findings of the HTTP proxy servers and susceptibility to HTTP request smuggling attacks. Requests can be smuggled across WAFs and security solutions, affect HTTP caches, help to hijack user requests and operate data exfiltration or different malicious activities. These new variants have various combinations and can help compromise the login pages of popular applications.

The demonstration from Amit Klein shows four new variants and how successful such attacks can get:

I demonstrate four new HTTP Request Smuggling attack variants that work against COTS, popular, present-day web servers and HTTP proxy servers. I also describe a successful attack with an old variant, and I demonstrate a circumvention of an existing HTTP Request Smuggling protection for a free, open source application security solution.

The technique significantly evolved for the past 15 years

This desyncing technique is known from 2005 when first researchers alerted about the risk. It interferes with the way the particular website processes the sequences of HTTP requests that get received from a few users at the time. Such flaws that relate to the smuggling of requests arise when front-end and back-end servers interpret the boundary of an HTTP request differently.

Malicious actors can easily send ambiguous requests and desynchronize these requests to hijack credentials, inject responses to users, steal data from victims, and exfiltrate other valuable details, transfer all the information to attacker-controlled servers. First demonstrated 15 years ago, this technique received a few improvements already and expanded significantly, according to many researchers.^[4]

The latest versions of the improvements show the function that allows the privileged access to internal APIs and various combinations of proxy-servers. Klein disclosed four new HTTP desyncing attack options, including the one old option:

• “Header SP / CR junk:…”;
• “Wait for It”;
• HTTP / 1.2 to bypass mod_security-like security;
• A plain solution;
• “CR header”.

Challenges and security requirements for the defenses

When such HTTP requests are handled, with two content-length header files, for example, the second header is accepted as valid, so two servers interpret the particular application differently, leading to successful request smuggling. Other variants revealed that in addition to requests smuggling such flaw exploitation can lead to malicious process launches and bypassing of specified CRS.^[5]

Possible defense solutions might include the normalization of outbound HTTP Requests from proxy servers. Experts noted that there is a need for reliable web application firewall solutions that can handle HTTP Request Smuggling attacks and provides full protection. As the presentation notes, HTTP request smuggling is still a thing, so existing source solutions are lacking, and there are more approaches that should be considered.