Researcher Demonstrates 4 New Variants of HTTP Request Smuggling (aka HTTP Desyncing) Attack

mood · Aug 5, 2020

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack
August 5, 2020
https://thehackernews.com/2020/08/http-request-smuggling.html

A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers.

Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented.
What is HTTP Request Smuggling?
HTTP request smuggling (or HTTP Desyncing) is a technique employed to interfere with the way a website processes sequences of HTTP requests that are received from one or more users.

Vulnerabilities related to HTTP request smuggling typically arise when the front-end (a load balancer or proxy) and the back-end servers interpret the boundary of an HTTP request differently, thereby allowing a bad actor to send (or "smuggle") an ambiguous request that gets prepended to the next legitimate user request.
Click to expand...

What's New?
The new variants disclosed by Klein involve using various proxy-server combinations, including Aprelium's Abyss, Microsoft IIS, Apache, and Tomcat in the web-server mode, and Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode.

Calling for normalization of outbound HTTP Requests from proxy servers, Klein stressed the need for an open source, robust web application firewall solution that's capable of handling HTTP Request Smuggling attacks.
Click to expand...

"ModSecurity (combined with CRS) is indeed an open source project, but as for robustness and genericity, mod_security has several drawbacks," Klein noted. "It doesn't provide full protection against HTTP Request Smuggling [and] it is only available for Apache, IIS and nginx."

To this end, Klein has published a C++-based library that ensures that all incoming HTTP requests are entirely valid, compliant, and unambiguous by enforcing strict adherence to HTTP header format and request line format. It can be accessed from GitHub here.
Click to expand...

mood · Aug 19, 2020

AWS launches open source tool to protect against HTTP request smuggling attacks
HTTP Desync Guardian released to help prevent user accounts from being hijacked
August 18, 2020
https://portswigger.net/daily-swig/...rotect-against-http-request-smuggling-attacks

Amazon Web Services (AWS) has launched a new tool to further protect against HTTP desynchronization attacks.

The tool – dubbed HTTP Desync Guardian – is designed to “analyze HTTP requests to prevent HTTP desync attacks, balancing security and availability”, AWS explains in its GitHub project notes.
HTTP Desync attacks, also known as HTTP request smuggling attacks, were first discovered in 2005 but have been brought back to the fore in recent years.

“HTTP desync attacks (aka HTTP request smuggling) cause a complete breakdown in request/response matching, which can enable attackers to mass-hijack other user’s accounts, persistently compromise pages via cache poisoning, and break into internal systems,” Kettle told The Daily Swig.
Click to expand...

AWS’ new tool prevents this by categorizing HTTP requests into those which are RFC compliant and those which could risk deserialization, flagging potential security issues to users.

“Preventing desync attacks has always required a trade-off between security and compatibility, and HTTP Desync Guardian’s default configuration looks like a good balance,” Kettle said.
Click to expand...

mood · Sep 9, 2020

HTTP request smuggling: HTTP/2 opens a new attack tunnel
Technique dubbed ‘h2c smuggling’ takes advantage of HTTP/1.1 upgrades to bypass proxy access controls
September 9, 2020
https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel

Researchers have demonstrated an alternative to traditional HTTP request smuggling with an attack method to bypass proxy controls and access private endpoints.

Upgrading vulnerable HTTP/1.1 connections to HTTP/2 or HTTP/3 can mitigate the risk of HTTP request smuggling. However, Bishop Fox lead researcher Jake Miller has explained that upgrade methods can also be abused.
In a blog post on Tuesday, Miller said the new method, dubbed ‘h2c smuggling’, impacts HTTP/2 over cleartext (h2c) connections.

This h2c smuggling method allows attackers to bypass proxy controls by transmitting HTTP/1.1 upgrade requests via TLS, which goes directly to back-end servers (h2c upgrades made over TLS violate the protocol’s specification).
Click to expand...

Trigger point
Two requirements are needed to trigger this form of attack – misconfiguration and a back-end that supports h2c upgrades.
It was also possible to perform the attack over some cleartext channels and multiple proxy layers. The only requirement is that the target proxy does not support h2c upgrade requests and will simply forward it on – therefore, the researcher says this attack “will likely succeed on non-encrypted channels as well”.

Bishop Fox has provided tools and demos for the attack technique on GitHub.
“Bypassing these controls may lead to access to internal management endpoints, arbitrary request routing, IP spoofing, and a variety of other privilege escalation opportunities.
Click to expand...

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)

The revival of HTTP request smuggling has led to devastating vulnerabilities in our modern application deployments. An HTTP request smuggled past the validation of an edge server can lead to serious consequences, including forged internal headers, access to internal management endpoints, and a variety of opportunities for privilege escalation.

HTTP/2 (or HTTP/3) is a promising solution to the issues we’ve faced with request smuggling, but support for HTTP/1.1 isn’t going away anytime soon. In the meantime, we’re still in for more surprises from our good friend HTTP/1.1.
Click to expand...

mood · Aug 6, 2021

HTTP/2 Implementation Errors Exposing Websites to Serious Risks
August 6, 2021
https://www.darkreading.com/applica...ion-errors-exposing-websites-to-serious-risks

Implementation flaws and imperfections in the technical specifications around HTTP/2 are exposing websites using the network protocol to a brand-new set of risks, a security researcher warned in a presentation at Black Hat USA Thursday.

James Kettle - director of research at PortSwigger who at Black Hat two years demonstrated so-called Desync attacks against websites using the HTTP protocol - this week showed how similar attacks could be carried out with potentially severe consequences against websites using the HTTP/2 standard.
Click to expand...

As proof-of-concept, Kettle described attacks he was able to execute using his techniques against websites belonging to organizations such as Netflix, those powered by Amazon's application load balancer, and websites using Imperva's cloud Web application firewall. In many instances he was able to redirect requests from Web-facing servers at these sites to his own server.

Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1.
According to Kettle, a whole slew of security issues can surface when organizations fail to use HTTP/2 in an end-to-end fashion. Instead, they have a front-end server that speaks HTTP/2 with clients and then rewrites requests from those clients back to HTTP/1.1 before forwarding them to a back-end server.

"A vast majority of the servers that speak HTTP/2 actually speak HTTP/1 to the back-end," he said during his Black Hat talk. They speak H2 to the client and H1 with the back-end, Kettle said.
Click to expand...

He also released an updated version of HTTP Request Smuggler, a tool that organizations can use to detect HTTP/2 specific vulnerabilities on their network. Burp Suite vulnerability scanner has also been updated to detect these vulnerabilities, Kettle said.

"Please just avoid HTTP/2 downgrading," he advised. "Just speak HTTP/2 end-to-end. If you do that, about 80% of the attacks from this presentation simply won't work."
Click to expand...

mood · Aug 10, 2021

HTTP Request Smuggling in Web Proxies
Vulnerability Note VU#357312
August 6, 2021 (Updated: August 9, 2021)
https://kb.cert.org/vuls/id/357312

Overview
HTTP web proxies and web accelerators that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling.
Description
The affected systems allow invalid characters such as carriage return and newline characters in HTTP/2 headers. When an attacker passes these invalid contents to a vulnerable system, the forwarded HTTP/1 request includes the unintended malicious data. This is commonly known as HTTP Request Splitting. In the case of HTTP web proxies, this vulnerability can lead to HTTP Request smuggling, which enables an attacker to access protected internal sites.
Click to expand...

Impact
An attacker can send a crafted HTTP/2 request with malicious content to bypass network security measures, thereby reaching internal protected servers and accessing sensitive data.
Solution
Apply updates
Install vendor-provided patches and updates to ensure malicious HTTP/2 content is blocked or rejected as described in RFC 7540 (Section 8.1.2.6) and RFC 7540 (Section 10.3).
Inspect and block anomalous HTTP/2 traffic
If HTTP/2 is not supported, block the protocol on the web proxies to avoid abuse of HTTP/2 protocol. Where HTTP/2 is supported, enforce strict rules for HTTP header checks to ensure malicious headers are normalized or rejected.
Test and verify your web proxy
Click to expand...

mood · Dec 6, 2021

New differential fuzzing tool reveals novel HTTP request smuggling techniques
White paper systematically examines the attack while showcasing a ‘laundry list’ of new flaws
November 25, 2021

Researchers have released a new fuzzing tool used for finding novel HTTP request smuggling techniques.

The tool, dubbed ‘T-Reqs’, was built by a team from Northeastern University, Boston, and Akamai.
In a white paper (PDF) the researchers discuss how they discovered a wealth of new vulnerabilities using the fuzzing tool, which they said can be used by bug bounty hunters and researchers alike.
Click to expand...

Previous research into the exploit targeted the Content-Length and Transfer-Encoding headers.
This new research instead focusses on HTTP request smuggling (HRS) as a system interaction problem involving at least two HTTP processors on the traffic path.

The paper reads: “These processors may not necessarily be individually buggy; but when used together, they disagree on the parsing or semantics of a given HTTP request, which leads to a vulnerability.
Click to expand...

Tool for success
T-Reqs, which is shorthand for ‘two requests’, is a grammar-based HTTP fuzzer that generates HTTP requests and applies mutations to them to trigger potential server processing quirks.

It exercises two target servers with the same mutated request, and compares the responses to identify discrepancies that lead to smuggling attacks.
“It is a tool that discovers novel smuggling vulnerabilities. This is particularly useful for server developers, and in fact several vendors mentioned in our paper are now using it for their internal testing.
Click to expand...

Onarlioglu said that they decided to explore the topic because the HTTP specification is extremely complex, so the team figured there was a “plethora of server technologies out there with their quirks”, and “there must be unfathomed opportunities to smuggle requests”.
Click to expand...

mood · Aug 11, 2022 at 8:33 AM

New HTTP Request Smuggling Attacks Target Web Browsers
August 11, 2022

BLACK HAT USA -- LAS VEGAS -- A security researcher who previously demonstrated how attackers can abuse weaknesses in the way websites handle HTTP requests warned that the same issues can be used in damaging browser-based attacks against users. to smuggle in malicious HTTP requests, [...]

James Kettle, director of PortSwigger, described his research as shedding new light on so-called desync attacks that exploit disagreements in how a website's back-end and front-end servers interpret HTTP requests.
Click to expand...

Kettle's new research focuses on how threat actors can exploit the same improper HTTP request handling issues to also attack website users and steal credentials, install back doors, and compromise their systems in other ways. Kettle said he had identified HTTP handling anomalies that enabled such client-side desync attacks on sites such as amazon.com, those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers and Apache HTTP Server 2.4.52 and earlier.

Cisco opened a CVE for the vulnerability (CVE-2022-20713) after Kettle informed the company about it and described the issue as allowing an unauthenticated, remote attacker to conduct browser-based attacks on website users.

"An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled," the company noted.
Click to expand...

Apache identified its HTTP request smuggling vulnerability (CVE-2022-22720) as tied to a failure "to close inbound connection when errors are encountered discarding the request body." Varnish described its vulnerability (CVE-2022-23959) as allowing attackers to inject spurious responses on client connections.

In a whitepaper released today, Kettle said there were two separate scenarios where HTTP handling anomalies could have security implications,
Click to expand...

The best way for websites to mitigate client-side desync attacks is to use HTTP/2 end-to-end, Kettle said. It's generally not a good idea to have a front end that supports HTTP/2 and a backend that is HTTP/1.1.
Click to expand...

Log in or Sign up

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling (aka HTTP Desyncing) Attack

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team