- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
;){kind=icon}
;){kind=icon}
;){kind=icon}
Glossary
What is HTTP request smuggling?HTTP Request Smuggling exploits the discrepancy in parsing non-RFC-compliant HTTP requests between two HTTP devices (typically a front-end proxy or HTTP-enabled firewall and a backend server). The HTTP Request Smuggling technique is performed by sending multiple specially crafted HTTP requests that cause two attacked entities to see two different sets of requests. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.
Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header. Sending both of these headers in the same request is where the conflict can occur.
If we modify the request to include a smuggled request, we would insert both the Content-Length and Transfer-Encoding headers. Sending this request multiple times will cause the request to go through, with the front end interpreting the first header of Content-Length and with the back end using the Transfer-Encoding header. This will cause the secondary request to be attached to the response of another request. Being able to see this depends on the number of requests sent backward and forwards to the server.
This facilitates several possible exploits, such as partial cache poisoning, bypassing firewall protection, and cross-site scripting (XSS).
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling
