This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling

From OWASP
Revision as of 07:31, 16 May 2013 by Peter Mosmans (talk | contribs) (initial page setup)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

HTTP Request/Response Smuggling

Root Cause Summary

An attacker can embed user data into a HTTP request or response, which isn't sanitized.
Browsers and web servers which don't adhere to strict RFC standards.

Browser / Standards Solution

Tighten RFC standards to describe precise behavior for malformed request/response data.
Sanitize HTTP requests and responses

Perimeter Solution

  • Sanitize HTTP headers
  • Sanitize HTTP responses
  • Avoid HTTP connection sharing
  • Use SSL to prevent proxy tampering

Generic Framework Solution

  • Sanitize HTTP headers
  • Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_HTTP_Request/Response_Smuggling&oldid=151725"