OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling

HTTP Request/Response Smuggling

Root Cause Summary

Malformed HTTP requests and responses are interpreted differently by proxies, web servers, or other systems which process HTTP along the request/response path. This can allow a request or response to bypass proxy filters or rules, poison caches, or cause the response from one request to be incorrectly matched with another.

Browser / Standards Solution

Tighten RFC standards to describe precise behavior for malformed request/response data, including rules for handling duplicate headers.

Perimeter Solution

• Sanitize all HTTP headers, especially duplicates, by enforcing strict adherence to RFC
• Sanitize both HTTP requests and response bodies, ensuring exact correspondence between Content-Length headers and body lengths
• Avoid HTTP connection sharing
• Enforce SSL to prevent proxy tampering
• Provide configuration option to silently sanitize malformed data or return a 5XX error response

Generic Framework Solution

None

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Framework-level solutions for enforcing correct CRLF behavior and preventing header manipulation are addressed by OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting. Tangentially described by the end-to-end principle. May require solving the multiple parser problem and enforcement of end-to-end principle all the way through frameworks and custom code.

References

HTTP Request Smuggling
HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)
Message Header Extensions (RFC)
Response Smuggling (WASC)