Software Engineering Institute

A flaw in handling HTTP requests that contain the "HTTP Request Smuggling" class of attacksHTTP Request Smuggling attacks involve injecting HTTP request(s) within other HTTP requests. Devices that handle HTTP data, such as web caches and proxy servers, may contribute to a class of attacks known as "HTTP Request Smuggling" attacks. HTTP Request Smuggling attacks occur when specially-crafted HTTP requests are inconsistently processed by multiple interconnected devices. In this manner the secondary request(s) may be "smuggled" through other devices without detection.

As a simple example, including multiple Content-Length headers into a single request may result in interconnected devices handling the request in a different manner. Given two Content-Length headers, partial request data may be processed on one device where another subsequent device (using the longer Content-Length header) may read more request data. This in turn changes the nature of the request and may result in cache poisoning or request hijacking.

HTTP Request Smuggling is outlined in depth in the Watchfire "HTTP Request Smuggling" whitepaper.

Multiple scenarios are possible depending on the devices in use and the strategies that are utilized by the attacker. These attacks may involve cache poisoning, request hijacking, protection bypass, and cross-site scripting.

Apply an update

Contact your vendor for information on updates, patches, and workarounds.