Difference between revisions of "OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling"

From OWASP
Jump to: navigation, search
(added some more references, discussion)
Line 2: Line 2:
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
An attacker can embed user data into a HTTP request or response, which isn't sanitized.<br>
+
Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.
Browsers and web servers which don't adhere to strict RFC standards.
+
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
  
Tighten RFC standards to describe precise behavior for malformed request/response data.<br>
+
Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.
Sanitize HTTP requests and responses.
+
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
  
* Sanitize HTTP headers
+
* Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
* Sanitize HTTP responses
+
** Sanitize both HTTP requests and responses
 
* Avoid HTTP connection sharing
 
* Avoid HTTP connection sharing
* Use SSL to prevent proxy tampering
+
* Enforce SSL to prevent proxy tampering
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
* Make sure that customizable HTTP headers adhere to the correct RFC standard (RFC 2047)
+
None
* Sanitize HTTP headers
+
* Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
+
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 33: Line 29:
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
[http://appsandsecurity.blogspot.com.au/2013/05/should-string-be-abstract-class.html Should String Be An Abstract Class (John Wilander)]
+
Framework-level solutions for addressing correct CRLF behavior and preventing header manipulation are covered under [[OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting]]
  
 
=== References ===
 
=== References ===
  
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]
+
[http://www.securiteam.com/securityreviews/5GP0220G0U.html HTTP Request Smuggling]<BR>
[http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)]
+
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]<BR>
 +
[http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)]<BR>
 +
[http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling Response Smuggling (WASC)]<BR>

Revision as of 16:06, 20 July 2013

Contents

HTTP Request/Response Smuggling

Root Cause Summary

Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.

Browser / Standards Solution

Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.

Perimeter Solution

  • Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
    • Sanitize both HTTP requests and responses
  • Avoid HTTP connection sharing
  • Enforce SSL to prevent proxy tampering

Generic Framework Solution

None

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Framework-level solutions for addressing correct CRLF behavior and preventing header manipulation are covered under OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting

References

HTTP Request Smuggling
HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)
Message Header Extensions (RFC)
Response Smuggling (WASC)