HTTP request smuggling

HTTP
Request methods
Header fields
Response status codes
Security access control methods
Security vulnerabilities

HTTP request smuggling (HRS) is a security exploit on the HTTP protocol that takes advantage of an inconsistency between the interpretation of Content-Length and Transfer-Encoding headers between HTTP server implementations in an HTTP proxy server chain.[1][2] It was first documented in 2005 by Linhart et al.[3]

The Transfer-Encoding header works by defining a directive on how to interpret the body of the HTTP request, with the common and necessary directive for this attack being the chunked transfer encoding.[4] When the Transfer-Encoding header is present, the Content-Length header is supposed to be omitted.[4] Working similarly but with a different syntax, the Content-Length header works by specifying the size in bytes of the body as a value in the header itself.[5] Vulnerabilities arise when both of these headers are included in a malicious HTTP request, bypassing security functions meant to prevent malicious HTTP queries to the server by causing either the front-end or back-end server to incorrectly interpret the request.[6] HTTP request smuggling commonly takes the form of CL.TE, TE.CL, or TE.TE, although more complex attacks using HRS do exist.[6]

  1. ^ "CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)". cwe.mitre.org. Retrieved 2020-03-13.
  2. ^ "What is HTTP request smuggling? Tutorial & Examples | Web Security Academy". portswigger.net. Retrieved 2020-03-13.
  3. ^ Linhart, Chaim; Klein, Amit; Heled, Ronen; Orrin, Steve (2005). "HTTP request smuggling" (PDF).
  4. ^ a b "Transfer-Encoding". developer.mozilla.org. Retrieved 2022-12-15.
  5. ^ "Content-Length". developer.mozilla.org. Retrieved 2022-12-15.
  6. ^ a b "HTTP Request Smuggling". imperva.com. Retrieved 2022-12-15.