CAPEC-33: HTTP Request Smuggling
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Survey network to identify target] The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
- Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.
步骤 1 Experiment
[Identify vulnerabilities in targeted HTTP infrastructure and technologies] The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.
步骤 2 Experiment
[Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities] The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.
- Continue the monitoring of HTTP traffic.
- Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.
步骤 1 Exploit
[Perform HTTP Request Smuggling attack] Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
- Leverage techniques identified in the Experiment Phase.
前提条件
- An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.
- Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
- HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
所需技能
所需资源
- Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses.
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
影响范围: Integrity
技术影响: Modify Data
缓解措施
Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.
Configuration: front-end HTTP agents notice ambiguous requests.
Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.
Configuration: Disable reuse of back-end connections.
Configuration: Use HTTP/2 for back-end connections.
Configuration: Use the same web server software for front-end and back-end server.
Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.
Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.
Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.
Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:
Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)
Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.
Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| WASC | 26 | HTTP Request Smuggling |