Researcher Demonstrates 4 New Variants of HTTP Request Smuggling (aka HTTP Desyncing) Attack

mood · Aug 5, 2020

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack
August 5, 2020
https://thehackernews.com/2020/08/http-request-smuggling.html

A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers.

Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented.
What is HTTP Request Smuggling?
HTTP request smuggling (or HTTP Desyncing) is a technique employed to interfere with the way a website processes sequences of HTTP requests that are received from one or more users.

Vulnerabilities related to HTTP request smuggling typically arise when the front-end (a load balancer or proxy) and the back-end servers interpret the boundary of an HTTP request differently, thereby allowing a bad actor to send (or "smuggle") an ambiguous request that gets prepended to the next legitimate user request.
Click to expand...

What's New?
The new variants disclosed by Klein involve using various proxy-server combinations, including Aprelium's Abyss, Microsoft IIS, Apache, and Tomcat in the web-server mode, and Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode.

Calling for normalization of outbound HTTP Requests from proxy servers, Klein stressed the need for an open source, robust web application firewall solution that's capable of handling HTTP Request Smuggling attacks.
Click to expand...

"ModSecurity (combined with CRS) is indeed an open source project, but as for robustness and genericity, mod_security has several drawbacks," Klein noted. "It doesn't provide full protection against HTTP Request Smuggling [and] it is only available for Apache, IIS and nginx."

To this end, Klein has published a C++-based library that ensures that all incoming HTTP requests are entirely valid, compliant, and unambiguous by enforcing strict adherence to HTTP header format and request line format. It can be accessed from GitHub here.
Click to expand...

mood · Aug 19, 2020

AWS launches open source tool to protect against HTTP request smuggling attacks
HTTP Desync Guardian released to help prevent user accounts from being hijacked
August 18, 2020
https://portswigger.net/daily-swig/...rotect-against-http-request-smuggling-attacks

Amazon Web Services (AWS) has launched a new tool to further protect against HTTP desynchronization attacks.

The tool – dubbed HTTP Desync Guardian – is designed to “analyze HTTP requests to prevent HTTP desync attacks, balancing security and availability”, AWS explains in its GitHub project notes.
HTTP Desync attacks, also known as HTTP request smuggling attacks, were first discovered in 2005 but have been brought back to the fore in recent years.

“HTTP desync attacks (aka HTTP request smuggling) cause a complete breakdown in request/response matching, which can enable attackers to mass-hijack other user’s accounts, persistently compromise pages via cache poisoning, and break into internal systems,” Kettle told The Daily Swig.
Click to expand...

AWS’ new tool prevents this by categorizing HTTP requests into those which are RFC compliant and those which could risk deserialization, flagging potential security issues to users.

“Preventing desync attacks has always required a trade-off between security and compatibility, and HTTP Desync Guardian’s default configuration looks like a good balance,” Kettle said.
Click to expand...

mood · Sep 9, 2020

HTTP request smuggling: HTTP/2 opens a new attack tunnel
Technique dubbed ‘h2c smuggling’ takes advantage of HTTP/1.1 upgrades to bypass proxy access controls
September 9, 2020
https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel

Researchers have demonstrated an alternative to traditional HTTP request smuggling with an attack method to bypass proxy controls and access private endpoints.

Upgrading vulnerable HTTP/1.1 connections to HTTP/2 or HTTP/3 can mitigate the risk of HTTP request smuggling. However, Bishop Fox lead researcher Jake Miller has explained that upgrade methods can also be abused.
In a blog post on Tuesday, Miller said the new method, dubbed ‘h2c smuggling’, impacts HTTP/2 over cleartext (h2c) connections.

This h2c smuggling method allows attackers to bypass proxy controls by transmitting HTTP/1.1 upgrade requests via TLS, which goes directly to back-end servers (h2c upgrades made over TLS violate the protocol’s specification).
Click to expand...

Trigger point
Two requirements are needed to trigger this form of attack – misconfiguration and a back-end that supports h2c upgrades.
It was also possible to perform the attack over some cleartext channels and multiple proxy layers. The only requirement is that the target proxy does not support h2c upgrade requests and will simply forward it on – therefore, the researcher says this attack “will likely succeed on non-encrypted channels as well”.

Bishop Fox has provided tools and demos for the attack technique on GitHub.
“Bypassing these controls may lead to access to internal management endpoints, arbitrary request routing, IP spoofing, and a variety of other privilege escalation opportunities.
Click to expand...

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)

The revival of HTTP request smuggling has led to devastating vulnerabilities in our modern application deployments. An HTTP request smuggled past the validation of an edge server can lead to serious consequences, including forged internal headers, access to internal management endpoints, and a variety of opportunities for privilege escalation.

HTTP/2 (or HTTP/3) is a promising solution to the issues we’ve faced with request smuggling, but support for HTTP/1.1 isn’t going away anytime soon. In the meantime, we’re still in for more surprises from our good friend HTTP/1.1.
Click to expand...

Log in or Sign up

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling (aka HTTP Desyncing) Attack

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling (aka HTTP Desyncing) Attack

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches