Detailed Explanation of HTTP Request Smuggling Attacks

Detailed Explanation of HTTP Request Smuggling Attacks

Description
HTTP request smuggling is a security vulnerability that exploits discrepancies in HTTP protocol parsing. Attackers craft special HTTP requests, causing front-end servers (such as reverse proxies, load balancers) and back-end servers to interpret the request boundaries differently, leading to misparsed requests. This attack can lead to serious consequences like cache poisoning, session hijacking, and bypassing security restrictions.

Prerequisite Knowledge

  1. HTTP/1.1 supports persistent connections (Keep-Alive), allowing multiple requests to be sent over the same TCP connection.
  2. Request boundaries are defined by the Content-Length (CL) and Transfer-Encoding (TE) headers.
  3. Request smuggling occurs when there is an inconsistency in protocol parsing between front-end and back-end servers.

Step-by-Step Analysis of the Attack Principle

Step 1: Understanding Boundary Definition Mechanisms

  • Content-Length mechanism: Explicitly specifies the byte count of the message body. 
    POST /test HTTP/1.1
Content-Length: 13
\r\n
hello world!
  • Transfer-Encoding: chunked chunked encoding: 
    POST /test HTTP/1.1
Transfer-Encoding: chunked
\r\n
5\r\n
hello\r\n
6\r\n
world!\r\n
0\r\n

Step 2: Identifying Parsing Discrepancy Points
Key vulnerability points: Servers handle the priority of CL and TE headers differently.

  • Case 1: Front-end uses CL, back-end uses TE.
  • Case 2: Front-end uses TE, back-end uses CL.
  • Case 3: Priority conflict when both headers are present.

Step 3: CL-TE Attack (Front-end respects CL, Back-end respects TE)
Attack request construction:

POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
\r\n
0\r\n        # Back-end treats this as the end marker
\r\n
G          # Front-end treats this as the start of the next request

Result: The character "G" will be treated by the front-end as the starting character of a new request.

Step 4: TE-CL Attack (Front-end respects TE, Back-end respects CL)
Attack request construction:

POST / HTTP/1.1
Host: example.com
Content-Length: 3
Transfer-Encoding: chunked
\r\n
8\r\n        # Front-end parses chunk length
SMUGGLED\r\n # Front-end treats this as the first message body
0\r\n        # Front-end treats the request as ended
\r\n

Since the back-end prioritizes CL, it only reads 3 bytes ("8\r\n"). The remaining content is appended to the next request.

Step 5: Defense Strategies

  1. Disable connection reuse: Use Connection: close for sensitive requests.
  2. Use HTTP/2: Completely eliminates protocol ambiguity issues.
  3. Server configuration: Ensure front-end and back-end use the same parsing logic.
  4. Front-end servers: Normalize ambiguous requests before forwarding.
  5. Back-end servers: Reject requests containing both CL and TE headers.

Detection Methods

  • Time delay technique: Detect request queues through differences in response times.
  • Differential reflection: Influence subsequent request responses using smuggled content.

The severity of this attack depends on the specific application scenario but can lead to significant security bypass issues.