[39075] in bugtraq
A new whitepaper by Watchfire - HTTP Request Smuggling
daemon@ATHENA.MIT.EDU (Ory Segal)
Mon Jun 6 16:46:26 2005
Date: Mon, 06 Jun 2005 19:09:04 +0300
From: Ory Segal <orysegal@netvision.net.il>
In-reply-to: <42A47486.4050103@netvision.net.il>
To: BUGTRAQ@securityfocus.com
Message-id: <42A47520.2040702@netvision.net.il>
MIME-version: 1.0
Content-type: text/plain; charset=windows-1252; format=flowed
Content-transfer-encoding: 8BIT
Ory Segal wrote:
> Hello,
> Today, Watchfire released a new whitepaper, titled "HTTP Request
> Smuggling". The full paper can be found in the following link:
> http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
> <BLOCKED::http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf>
> The paper's abstract is copied below:
>
> "We describe a new web entity attack technique – “HTTP Request
> Smuggling”. The attack technique and the derived attacks are relevant
> to most web environments and is the result of a HTTP server or
> device’s failure to properly handle malformed inbound HTTP requests.
> HTTP Request Smuggling works by taking advantage of the discrepancies
> in parsing when one or more HTTP devices/entities (e.g. Cache Server,
> Proxy Server, Web Application Firewall, etc.) are in the data flow
> between the user and the web server. HTTP Request Smuggling enables
> various attacks – web cache poisoning, session hijacking, cross-site
> scripting and most serious the ability to bypass web application
> firewall protection. HTTP Request Smuggling sends multiple
> specially-crafted HTTP requests that cause the two attacked entities
> to see two different sets of requests, allowing the hacker to smuggle
> a request to one device without the other device being aware of it. In
> the Web Cache poisoning attack, this smuggled request will trick the
> cache server into unintendedly associating a URL to another URL’s page
> (content), and caching this content for the URL. In the Web
> Application Firewall attack the smuggled request could be a worm (like
> Nimda or Code Red) or buffer overflow attack targeting the web server.
> Finally, because HTTP Request Smuggling enables the attacker to insert
> or sneak a request into the flow it allows the attacker to manipulate
> the web server’s request/response sequencing which can allow for
> credential hijacking and other malicious outcomes."
> Thank you,
> *Ory Segal
> */Director of Security Research/
> Watchfire (Israel) LTD.
> Tel: +972-9-9586077, Ext.236
> Mobile: +972-54-7739359
> e-mail: osegal <BLOCKED::mailto:osegal@watchfire.com> at watchfire.com
>
