This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling
From OWASP
HTTP Request/Response Smuggling
Root Cause Summary
An attacker can embed user data into a HTTP request or response, which isn't sanitized.
Browsers and web servers which don't adhere to strict RFC standards.
Browser / Standards Solution
Tighten RFC standards to describe precise behavior for malformed request/response data.
Sanitize HTTP requests and responses
Perimeter Solution
- Sanitize HTTP headers
- Sanitize HTTP responses
- Avoid HTTP connection sharing
- Use SSL to prevent proxy tampering
Generic Framework Solution
- Sanitize HTTP headers
- Avoid the introduction of pure Carriage Returns (CR) and Linefeeds (LF) into HTTP headers
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
References
HTTP Message Splitting, Smuggling and Other Animals (Amit Klein, OWASP)