HTTP has become the de facto standard of today’s Web and brings new security risks to applications. HTTP request smuggling is one of the few high-risk HTTP vulnerabilities discovered in the past year. In this article, we will describe this in detail and provide an open-source HTTP request smuggling detection tool to detect such vulnerabilities.
According to Wikipedia, HTTP is already adopted by the Internet.
Standardization work is supported by Chrome, Opera, Firefox, Internet Explorer 11, Safari, Amazon Silk, and Edge browsers. At the end of 2015, most popular browsers added HTTP support. Approximately 97% of web browsers have this feature, and according to W3Techs data, as of March 2021, 50.2% of 10 million large websites support HTTP.
What’s the Request Smuggling?
Request smuggling is a loophole caused by various request analysis processes. When a client’s request is redirected from one server to another, it will interfere. Suppose you need to send a greeting message to your friends in another city, but you cannot call them. You need to send a message to another friend who is going to that city in a few days. You said your welcome message carefully, and the other friend remembered it completely. Unfortunately, the traveling friend has a certain accent and cannot deliver the welcome message as he said, and the receiving friend will not recognize it. As a result, the receiving friend heard “comrade” instead of “congratulations.” This is exactly what happens when smuggling, but using servers instead of friends. Since all servers are our friends anyway, the above definition is very strict.
Technically speaking, HTTP request smuggling is a web vulnerability. When a reverse client request is redirected from one server (front-end, cache server, or load balancer) to another server (back-end)-proxy architecture, This kind of loophole can happen. Use HTTP with the KeepAlive connection to communicate with the backend server.
The use of request smuggling may pose a security risk because an attacker can force the server to analyze malicious requests in different ways. Usually, the attacker wants to trick the server into believing that the request will be completed faster than it actually is. Create and parse the queue as separate requests.
Such vulnerabilities have a wide range of impacts, which can lead to authentication bypass, information leakage, XSS, CRLF, etc. For example, if an attacker can force the server to save the provided information (for example, filter HTTP requests from other users, including cookies (thus enabling account hijacking). In other cases, the attacker can poison the cache on the external server and create a corresponding reflection Or the effect of the stored XSS.
HTTP Request Smuggling Detection Tool
HTTP request smuggling is a high-risk vulnerability. Attackers secretly send unconfirmed HTTP requests to circumvent security measures and gain unauthorized access to perform malicious operations. The vulnerability was discovered by Watchfire in 2005 and discovered later in August 2019. Rediscovered by James Kettle (albinowax) and displayed on DEF CON 27 and BlackHat USA. To learn more about the vulnerability, you can check the well-documented research blog on the Portswigger website. Detection according to the time delay technique with a given permutation
How to install HTTP Request Smuggling
First, we need to download HTTP Request Smuggling Detector, so enter the following command in your terminal
git clone https://github.com/anshumanpattnaik/http-request-smuggling.git
Now change the directory to HTTP request smuggling tool so type the below command
Then install the requirements of the HTTP request smuggling tool
pip3 install -r requirements.txt
After completing the above installation process, you can scan the URL
python3 smuggle.py -u