Difference between revisions of "OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling"

From OWASP
Jump to: navigation, search
(initial page setup)
 
m
 
(6 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
An attacker can embed user data into a HTTP request or response, which isn't sanitized.<br>
+
Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.
Browsers and web servers which don't adhere to strict RFC standards.
+
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
  
Tighten RFC standards to describe precise behavior for malformed request/response data.<br>
+
Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.
Sanitize HTTP requests and responses
+
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
  
* Sanitize HTTP headers
+
* Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
* Sanitize HTTP responses
+
* Sanitize both HTTP requests and response bodies, ensuring exact correspondence between Content-Length headers and body lengths
 
* Avoid HTTP connection sharing
 
* Avoid HTTP connection sharing
* Use SSL to prevent proxy tampering
+
* Enforce SSL to prevent proxy tampering
 +
* Provide configuration option to silently sanitize malformed data or return a 5XX error response
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
* Sanitize HTTP headers
+
None
* Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
+
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 32: Line 30:
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
 
+
Framework-level solutions for enforcing correct CRLF behavior and preventing header manipulation are addressed by [[OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting]]. Tangentially described by the [http://www.ietf.org/rfc/rfc3724.txt end-to-end principle]. May require solving the multiple parser problem and enforcement of end-to-end principle all the way through frameworks and custom code.
  
 
=== References ===
 
=== References ===
  
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]
+
[http://www.securiteam.com/securityreviews/5GP0220G0U.html HTTP Request Smuggling]<BR>
 +
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]<BR>
 +
[http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)]<BR>
 +
[http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling Response Smuggling (WASC)]<BR>

Latest revision as of 18:12, 15 November 2013

HTTP Request/Response Smuggling

Root Cause Summary

Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.

Browser / Standards Solution

Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.

Perimeter Solution

  • Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
  • Sanitize both HTTP requests and response bodies, ensuring exact correspondence between Content-Length headers and body lengths
  • Avoid HTTP connection sharing
  • Enforce SSL to prevent proxy tampering
  • Provide configuration option to silently sanitize malformed data or return a 5XX error response

Generic Framework Solution

None

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Framework-level solutions for enforcing correct CRLF behavior and preventing header manipulation are addressed by OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting. Tangentially described by the end-to-end principle. May require solving the multiple parser problem and enforcement of end-to-end principle all the way through frameworks and custom code.

References

HTTP Request Smuggling
HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)
Message Header Extensions (RFC)
Response Smuggling (WASC)