HTTP Request Smuggling / HTTP Desync Attack

👉 Overview

👀 What ?

HTTP Request Smuggling, also known as HTTP Desync Attack, is a high-severity vulnerability that targets the communication between web servers, proxies, and caching technologies. In essence, it involves the sending of ambiguous, or 'desynchronized' HTTP requests that can cause these entities to disagree on request boundaries, leading to several types of attacks including cache poisoning, session hijacking, and even remote code execution.

🧐 Why ?

This attack is important because of its potential to compromise the security of web applications, even when they are protected by WAFs, or other security measures. Additionally, it has a wide reach, affecting a range of components in the web ecosystem, including reverse proxies, web servers, caching engines, and even client-side browsers. Understanding this attack helps in implementing appropriate mitigation measures and improving the overall security posture.

⛏️ How ?

To exploit this vulnerability, an attacker sends a specially crafted HTTP request that causes disagreement between the front-end and the back-end servers on the boundaries of the HTTP requests. This can cause the subsequent legitimate requests to be interpreted differently, leading to unwanted side-effects.

⏳ When ?

HTTP Request Smuggling attacks have been known since the early days of the web, but they gained more attention in 2005 when the security researcher Watchfire found a way to automate the attack. They have been a part of the OWASP Top 10 list of web security risks since then.

⚙️ Technical Explanations

At the heart of HTTP Request Smuggling is the disagreement on the interpretation of HTTP message boundaries. HTTP messages can be delimited using two methods: Content-Length and Transfer-Encoding. When both of these headers are present in an HTTP request and they specify different message lengths, the front-end and back-end servers may disagree on where one message ends and the next one begins. This can lead to one server interpreting part of the next message as a part of the current message, causing various types of attacks.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.