HTTP Request Smuggling
What is HTTP Request Smuggling?
HTTP Request SmugglingAn attack that exploits disagreements between a front-end proxy and a back-end server on how an HTTP request ends, so an attacker can sneak a hidden second request through.
HTTP request smuggling abuses inconsistent parsing of the Content-Length and Transfer-Encoding headers (CL.TE, TE.CL, TE.TE) between intermediaries such as load balancers, CDNs, reverse proxies and origin servers. By crafting an ambiguous request, the attacker makes the front end and back end disagree on where the message ends, allowing a smuggled request to be processed in the context of another user's connection. Consequences include cache poisoning, credential theft, bypass of WAFs, and account takeover. Defences include normalising or rejecting ambiguous requests, using HTTP/2 end-to-end, keeping front-end and back-end implementations aligned, and applying vendor patches.
● Examples
- 01
CL.TE smuggling against a CDN/back-end pair where the CDN uses Content-Length and the origin uses Transfer-Encoding.
- 02
Smuggled POST request stealing the next user's Authorization header from a shared keep-alive connection.
● Frequently asked questions
What is HTTP Request Smuggling?
An attack that exploits disagreements between a front-end proxy and a back-end server on how an HTTP request ends, so an attacker can sneak a hidden second request through. It belongs to the Vulnerabilities category of cybersecurity.
What does HTTP Request Smuggling mean?
An attack that exploits disagreements between a front-end proxy and a back-end server on how an HTTP request ends, so an attacker can sneak a hidden second request through.
How do you defend against HTTP Request Smuggling?
Defences for HTTP Request Smuggling typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP Request Smuggling?
Common alternative names include: HRS, Request smuggling.