Description
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Integrity, Non-Repudiation, Access Control: Unexpected State, Hide Activities, Bypass Protection Mechanism
An attacker could create a request to exploit a number of weaknesses including 1) the request can trick the web server to associate a URL with another URLs webpage and caching the contents of the webpage (web cache poisoning attack), 2) the request can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the request can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).
Potential Mitigations
Phase: Implementation
Description:
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Phase: Implementation
Description:
Use only SSL communication.
Phase: Implementation
Description:
Terminate the client session after each request.
Phase: System Configuration
Description:
Turn all pages to non-cacheable.
CVE References
- CVE-2005-2088
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2089
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2090
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2091
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2092
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2093
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.
- CVE-2005-2094
- Web servers allow request smuggling via inconsistent Transfer-Encoding and Content-Length headers.