This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling"
From OWASP
(initial page setup) |
(added some more references, discussion) |
||
Line 8: | Line 8: | ||
Tighten RFC standards to describe precise behavior for malformed request/response data.<br> | Tighten RFC standards to describe precise behavior for malformed request/response data.<br> | ||
− | Sanitize HTTP requests and responses | + | Sanitize HTTP requests and responses. |
=== Perimeter Solution === | === Perimeter Solution === | ||
Line 19: | Line 19: | ||
=== Generic Framework Solution === | === Generic Framework Solution === | ||
+ | * Make sure that customizable HTTP headers adhere to the correct RFC standard (RFC 2047) | ||
* Sanitize HTTP headers | * Sanitize HTTP headers | ||
* Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers | * Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers | ||
Line 32: | Line 33: | ||
=== Discussion / Controversy === | === Discussion / Controversy === | ||
− | + | [http://appsandsecurity.blogspot.com.au/2013/05/should-string-be-abstract-class.html Should String Be An Abstract Class (John Wilander)] | |
=== References === | === References === | ||
[http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)] | [http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)] | ||
+ | [http://www.ietf.org/rfc/rfc2047.txt Message Header Extensions (RFC)] |
Revision as of 06:20, 7 June 2013
HTTP Request/Response Smuggling
Root Cause Summary
An attacker can embed user data into a HTTP request or response, which isn't sanitized.
Browsers and web servers which don't adhere to strict RFC standards.
Browser / Standards Solution
Tighten RFC standards to describe precise behavior for malformed request/response data.
Sanitize HTTP requests and responses.
Perimeter Solution
- Sanitize HTTP headers
- Sanitize HTTP responses
- Avoid HTTP connection sharing
- Use SSL to prevent proxy tampering
Generic Framework Solution
- Make sure that customizable HTTP headers adhere to the correct RFC standard (RFC 2047)
- Sanitize HTTP headers
- Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
Should String Be An Abstract Class (John Wilander)
References
HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP) Message Header Extensions (RFC)