Read Time:1 Minute, 38 Second

Description

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-436
CWE-436

 

Consequences

Integrity, Non-Repudiation, Access Control: Unexpected State, Hide Activities, Bypass Protection Mechanism

An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).

 

Potential Mitigations

Phase: Implementation

Description: 

Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].

Phase: Implementation

Description: 

Use only SSL communication.

Phase: Implementation

Description: 

Terminate the client session after each request.

Phase: System Configuration

Description: 

Turn all pages to non-cacheable.

CVE References

  • CVE-2005-2088
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2089
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2090
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2091
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2092
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2093
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
  • CVE-2005-2094
    • Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.