Difference between revisions of "OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling"

From OWASP
Jump to: navigation, search
(initial page setup)
 
(added some more references, discussion)
Line 8: Line 8:
  
 
Tighten RFC standards to describe precise behavior for malformed request/response data.<br>
 
Tighten RFC standards to describe precise behavior for malformed request/response data.<br>
Sanitize HTTP requests and responses
+
Sanitize HTTP requests and responses.
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
Line 19: Line 19:
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
 +
* Make sure that customizable HTTP headers adhere to the correct RFC standard (RFC 2047)
 
* Sanitize HTTP headers
 
* Sanitize HTTP headers
 
* Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
 
* Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
Line 32: Line 33:
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
 
+
[http://appsandsecurity.blogspot.com.au/2013/05/should-string-be-abstract-class.html Should String Be An Abstract Class (John Wilander)]
  
 
=== References ===
 
=== References ===
  
 
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]
 
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt  HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)]
 +
[http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)]

Revision as of 00:20, 7 June 2013

HTTP Request/Response Smuggling

Root Cause Summary

An attacker can embed user data into a HTTP request or response, which isn't sanitized.
Browsers and web servers which don't adhere to strict RFC standards.

Browser / Standards Solution

Tighten RFC standards to describe precise behavior for malformed request/response data.
Sanitize HTTP requests and responses.

Perimeter Solution

  • Sanitize HTTP headers
  • Sanitize HTTP responses
  • Avoid HTTP connection sharing
  • Use SSL to prevent proxy tampering

Generic Framework Solution

  • Make sure that customizable HTTP headers adhere to the correct RFC standard (RFC 2047)
  • Sanitize HTTP headers
  • Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Should String Be An Abstract Class (John Wilander)

References

HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP) Message Header Extensions (RFC)