CAPEC-105: HTTP Request Splitting

HTTP Request Splitting

状态:Draft

Typical_Severify: High

攻击可能性:Medium

描述

HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.

相关攻击模式

ChildOf: CAPEC-220 |Client-Server Protocol Manipulation

PeerOf: CAPEC-34 |HTTP Response Splitting

Execution Flow Attack Setp

Setp 1 Explore

[Investigate Target Environment] Determine the technologies used in the target environment such as types of browsers, web servers, application firewalls, proxies, etc.

Setp 2 Exploit

[Post a malicious HTTP Request] Post a malicious HTTP request that will be interpreted as multiple HTTP requests when parsed on the server

前置条件

User-manipulateable HTTP Request headers are processed by the web server

所需技能

Level Medium

Good understanding of the HTTP protocol and the parsing mechanisms employed by various web servers

所需资源

A tool that allows for the sending of customized HTTP requests is required.

后果

Scope Impact Likelihood
Confidentiality Integrity Availability Execute Unauthorized Commands
Confidentiality Access Control Authorization Gain Privileges
C o n f i d e n t i a l i t y Read Data
I n t e g r i t y Modify Data

缓解措施

Make sure to install the latest vendor security patches available for the web server.

If possible, make use of SSL.

Install a web application firewall that has been secured against HTTP Request Splitting

Use web servers that employ a tight HTTP parsing process

实例

Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks.

The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices.

Microsoft has confirmed the vulnerability and released software updates

相关CWE

436 | 解释冲突

444 | HTTP请求的解释不一致性(HTTP请求私运)

内容历史记录

提交

2014-06-23 | CAPEC Content Team | The MITRE Corporation

修改

2017-08-04 | CAPEC Content Team | The MITRE Corporation

Updated Related_Attack_Patterns, Resources_Required

2019-04-04 | CAPEC Content Team | The MITRE Corporation

Updated Related_Attack_Patterns