Difference between revisions of "OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling"

From OWASP
Jump to: navigation, search
(added some more references, discussion)
m
 
(5 intermediate revisions by one user not shown)
Line 2: Line 2:
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
An attacker can embed user data into a HTTP request or response, which isn't sanitized.<br>
+
Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.
Browsers and web servers which don't adhere to strict RFC standards.
+
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
  
Tighten RFC standards to describe precise behavior for malformed request/response data.<br>
+
Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.
Sanitize HTTP requests and responses.
+
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
  
* Sanitize HTTP headers
+
* Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
* Sanitize HTTP responses
+
* Sanitize both HTTP requests and response bodies, ensuring exact correspondence between Content-Length headers and body lengths
 
* Avoid HTTP connection sharing
 
* Avoid HTTP connection sharing
* Use SSL to prevent proxy tampering
+
* Enforce SSL to prevent proxy tampering
 +
* Provide configuration option to silently sanitize malformed data or return a 5XX error response
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
* Make sure that customizable HTTP headers adhere to the correct RFC standard (RFC 2047)
+
None
* Sanitize HTTP headers
+
* Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
+
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 33: Line 30:
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
[http://appsandsecurity.blogspot.com.au/2013/05/should-string-be-abstract-class.html Should String Be An Abstract Class (John Wilander)]
+
Framework-level solutions for enforcing correct CRLF behavior and preventing header manipulation are addressed by [[OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting]]. Tangentially described by the [http://www.ietf.org/rfc/rfc3724.txt end-to-end principle]. May require solving the multiple parser problem and enforcement of end-to-end principle all the way through frameworks and custom code.
  
 
=== References ===
 
=== References ===
  
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]
+
[http://www.securiteam.com/securityreviews/5GP0220G0U.html HTTP Request Smuggling]<BR>
[http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)]
+
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]<BR>
 +
[http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)]<BR>
 +
[http://projects.webappsec.org/w/page/13246930/HTTP%20Response%20Smuggling Response Smuggling (WASC)]<BR>

Latest revision as of 19:12, 15 November 2013

Contents

HTTP Request/Response Smuggling

Root Cause Summary

Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.

Browser / Standards Solution

Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.

Perimeter Solution

  • Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
  • Sanitize both HTTP requests and response bodies, ensuring exact correspondence between Content-Length headers and body lengths
  • Avoid HTTP connection sharing
  • Enforce SSL to prevent proxy tampering
  • Provide configuration option to silently sanitize malformed data or return a 5XX error response

Generic Framework Solution

None

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Framework-level solutions for enforcing correct CRLF behavior and preventing header manipulation are addressed by OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting. Tangentially described by the end-to-end principle. May require solving the multiple parser problem and enforcement of end-to-end principle all the way through frameworks and custom code.

References

HTTP Request Smuggling
HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)
Message Header Extensions (RFC)
Response Smuggling (WASC)