Four Variants of HTTP Request Smuggling Attack

HTTP Request Smuggling now has 4 New Variants – Cyber Security Research 2020

HTTP Request smuggling attack now has four new variants and this was identified thanks to the new research presented by Amit Klein (VP of Security Research at SafeBreach) thus confirming the findings today at Black Hat Security Conference.

These new four variants work against various commercial existing web servers and HTTP proxy servers. Also the Mr. Klein also said that new attacks highlights that how “Web Servers” and “HTTP Proxy Servers” are still vulnerable to HTTP request smuggling even after 15 years since they were first found and documented.

Note: Amit Klein was also the part of group who first discovered and demonstrated the HTTP Request Smuggling attack!

What is HTTP Request Smuggling?

Now before we get to what these new four variants are and how do they work/function and what is the countermeasures or workaround that we can take, it is quite essential, as well as important to understand what HTTP Request smuggling really is and how does this attack work..

HTTP Request smuggling attack is also known as HTTP Desyncing attack, which is nothing but a technique that is used to interfere with the way how a website processes multiple HTTP Request that are generated from one or more users. Vulnerabilities that are related to this attack mostly comes from the side of the front-end of the website or web application (Proxy) and the back-end server interprets the boundary of the HTTP Request differently.

This allows a bad sector that is generated, to smuggle or send an “Unclear or Ambiguous” request that gets attached to a original request that is generated by a particular user. Basically this desynchronization of requests can be exploited to hack credential, steal data from user generated requests and send it to the attacker controlled servers and it can be used to even inject customized responses to users.

This particular attack was first demonstrated 15 years back, by a group of security researchers from a company named WatchFire, and as mentioned in the article earlier, Amit Klein was part of that group that demonstrated this attack in 2005 along with Chaim Linhart, Ronen Heled, and Steve Orrin.

However, from the last five years this industry has seen number of improvements in this attack, which significantly expands the attack surface and splice the user requests into multiple ones to take “Maximum Privilege Access” to internal APIs of website or any web application, as well as, these improvements was to also poison web cache and compromise the login pages of all the popular web application that exists.

What are the new four variants in HTTP Request Smuggling?

The new variants that were disclosed at Black Hat Security Conference by Amit Klein involves various proxy-server combinations, which includes Microsoft IIS, Apache and Tomcat, Abyss, Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode.

The following below is the list of all new four variants which also includes one old variant which the security researcher successfully executed in one of his demonstration.

  • Variant 01 – Header SP/CR junk
  • Variant 02 – Wait for it
  • Variant 03 – HTTP/1.2 to bypass CRS
  • Variant 04 – A Plain Solution
  • Variant 05 – CR Header (old one)

The findings..

Variant 01 – In the 1st variant, an HTTP request sent with two “Content-Length” header fields where, Abyss web server was found accept the second header as a valid header, however, in the case of Squid web server, it was found that the first header was accepted as a valid one. So in this case as you can see both the web servers interpreted the same HTTP request in a different way, and this particular scenario achieves a successful smuggling of HTTP Request.

Variant 02 – Also in case of the 2nd variant, Abyss web server – when it gets an HTTP request which has content-length less then the specified, it waits for 30 seconds before it fulfill the request but ignores the remaining body of the request after the time limit. However in case of the Squid web server the remaining body of the same HTTP request is interpreted as a second request.

Variant 03 – Here we should specially pay attention to the 3rd Variant which uses HTTP/1.2 to bypass CRS (Code Set Rules). In other words, this variant uses HTTP/1.2 to find a way through the Web Application Firewall (WAF) defenses which are as defined in the OWASP ModSecurity CRS.

Note: The OWASP ModSecurity CRS prevents the HTTP Request Smuggling attacks from crafting a malicious payload that triggers the attack.

Variant 04 – Finally in the 4th variant it was found that just using a “Content-Type: text/plain” header was sufficient to bypass “paranoia level 1 and 2 checks” as specified in OWASP ModSecurity CRS and produce the HTTP Request smuggling vulnerability.

Countermeasures taken

After the findings were confirmed, they were disclosed to Aprelium (the company that made Abyss web server), Squid, and OWASP CRS and issues were fixed which you can check out here:-

  1.  Abyss X1 v2.14
  2. Squid versions 4.12, and 5.0.3
  3.  CRS v3.3.0.

Amit Klein also released a C++ library which ensures that all incoming HTTP Requests are completely valid, compliant and are not unconfirmed or unambiguous. The library ensures that there is a strict adherence to HTTP header format and request line format.

You can access the C++ library released by Amit Klein at Github, here is the link – C++ Library (Github).The researcher also stressed that there is a need for robust open source web application firewall that is capable of handling these types of smuggling based attacks.

Source – Black Hat Security Conference (USA).