OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling
HTTP Request/Response Smuggling
Root Cause Summary
Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.
Browser / Standards Solution
Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.
- Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
- Sanitize both HTTP requests and response bodies, ensuring exact correspondence between Content-Length headers and body lengths
- Avoid HTTP connection sharing
- Enforce SSL to prevent proxy tampering
- Provide configuration option to silently sanitize malformed data or return a 5XX error response
Generic Framework Solution
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
Framework-level solutions for enforcing correct CRLF behavior and preventing header manipulation are addressed by OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting. Tangentially described by the end-to-end principle. May require solving the multiple parser problem and enforcement of end-to-end principle all the way through frameworks and custom code.