HTTP Header Smuggling can be abused to sneak malicious code into back-end servers

guest · Nov 17, 2021

Researcher Details Vulnerabilities Found in AWS API Gateway
AWS fixed the security flaws that left the API service at risk of so-called HTTP header-smuggling attacks
November 10, 2021
https://www.darkreading.com/vulnera...ails-vulnerabilities-found-in-aws-api-gateway

All it took was a space between characters and a few random letters, and Web researcher Daniel Thatcher was able to modify the HTTP header sent to Amazon API Gateway.

At this week's Black Hat Europe, Thatcher, researcher and penetration tester at Intruder, demonstrated how he found flaws in the service that allowed him to bypass the API Gateway's IP address restrictions and wage a cache-poisoning attack using so-called HTTP header-smuggling.
Click to expand...

Header-smuggling is a technique in which an attacker dupes a front-end server into sneaking malicious or phony information to the back-end server within the HTTP header, for example. HTTP (and HTTPS) headers carry information such as the client's browser, cookies, and IP address, as well as the requested Web page.

"The front-end server tries to strip out" invalid headers, but it can't see the modified header, so it slips to the back-end server, he explains.
Click to expand...

But Thatcher later found a second hole in AWS API Gateway that allowed him to use HTTP header-smuggling to sneak phony headers to the back end and employ a cache poisoning attack on the server, which he explains could let an attacker create their own API and return malicious content.
Click to expand...

Free Hacking Tool
Thatcher today also will release a free, open source tool for testing Web servers for weaknesses that could allow an attacker to pull off an HTTP header-smuggling attack. The tool, which Thatcher built using researcher James Kettle's Param Miner Burp Suite toolkit, looks for header mutations that could leave the door open for HTTP header-smuggling. It provides a way for researchers to smuggle various headers through to the back-end server.
Click to expand...

Thatcher's research likely only scratches the surface of how header smuggling can root out Web vulnerabilities, he warns. Other vulnerabilities are likely to be found.
Click to expand...

Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond

Modern web applications typically rely on chains of multiple servers, which forward HTTP requests to one another. The attack surface created by this forwarding is increasingly receiving more attention, including the recent popularisation of cache poisoning and request smuggling vulnerabilities.

Much of this exploration, especially recent request smuggling research, has developed new ways to hide HTTP request headers from some servers in the chain while keeping them visible to others – a technique known as "header smuggling". This paper presents a new technique for identifying header smuggling and demonstrates how header smuggling can lead to cache poisoning, IP restriction bypasses, and request smuggling.
Click to expand...

Log in or Sign up

HTTP Header Smuggling can be abused to sneak malicious code into back-end servers

guest Guest

Log in or Sign up

HTTP Header Smuggling can be abused to sneak malicious code into back-end servers

guest Guest

Useful Searches