CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
常见后果
影响范围: Integrity Non-Repudiation Access Control
技术影响: Unexpected State Hide Activities Bypass Protection Mechanism
说明: An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the message can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).
潜在缓解措施
阶段: Implementation
描述: Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
阶段: Implementation
描述: Use only SSL communication.
阶段: Implementation
描述: Terminate the client session after each request.
阶段: System Configuration
描述: Turn all pages to non-cacheable.
观察示例
参考: CVE-2022-24766
SSL/TLS-capable proxy allows HTTP smuggling when used in tandem with HTTP/1.0 services, due to inconsistent interpretation and input sanitization of HTTP messages within the body of another message
参考: CVE-2021-37147
Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending"
参考: CVE-2020-8287
Node.js platform allows request smuggling via two Transfer-Encoding headers
参考: CVE-2006-6276
Web servers allow request smuggling via inconsistent HTTP headers.
参考: CVE-2005-2088
HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header
参考: CVE-2005-2089
HTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | HTTP Request Smuggling | - |
| WASC | 26 | HTTP Request Smuggling | - |
| WASC | 27 | HTTP Response Smuggling | - |