This smuggling attack on HTTP requests would sound pretty new for some of the people out there which I will like to share the information with others just for knowledge-sharing purposes.
What is HTTP Request Smuggling attack ?
An attack technique such as HTTP request smuggling where it normally been compromised by abusing the device that sends request between front-end proxy or chaining multiple servers with been configuring differently.
The attacker will use the method Content-Length or Transfer-Encoding: chunked as a way to send a request to HTTP in order to run the Smuggling Attack Method. This abusing method on the headers will give a request to the attacker which they are smuggled and lead the response of smuggled to a different response of a request.
Tools and how to spot an smuggling reponse
Security Consultant will use various tool to test the smuggling response but the most common tool for this activity would be BurpSuite Pro.
In order to spot a smuggling response on BurpSuite Pro, we need to see the POST request on Content-Length to the system where it will look something as follows:
POST /search HTTP/1.1 Host: examplevulnerable.com Content-Type: application/x-www-form-urlencoded Content-Length: 11 q=testvulenerable
Another smuggling method would be Transfer-Encoding:chunked can be look something as follows:
POST /search HTTP/1.1 Host: examplevulnerable.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked b
Recommendation to HTTP Smuggling Attack
The Smuggling attack can be prevent by follow the procedure as follows:
- Back-end connection will need to disable on reusing on each request have been sent from a different network connection
- The protocol that can be used for back-end connection would be HTTP/2 which will prevent any ambiguity on the request boundaries.
- A system administrator will need to monitor the traffic of the request coming from web application traffic and server either front-end and back-end.