HTTP Request Smuggling, a vulnerability in web security, arises from discrepancies in how different web servers or intermediaries handle HTTP request sequences. Exploiting these inconsistencies allows attackers to manipulate the order of request processing, potentially leading to unauthorized access, security control bypass, session hijacking, or injection of malicious content into responses meant for other users. The flaw hinges on discrepancies in interpreting the start and end points of HTTP requests, causing servers to process them inaccurately.
BugCrowd cybersecurity researchers recently collaborated to unveil key insights about HTTP Request Smuggling. The team, consisting of Paolo Arnolfo, a server-side vulnerability enthusiast, Guillermo Gregorio, a skilled hacker and dad superhero, and a stealthy genius going by the name @_medusa_1_, shed light on this security issue.
While cloud hosting offers security advantages, unknown HTTP Request Smuggling vectors can still pose significant threats. A recent discovery revealed that thousands of websites hosted on Google Cloud using their Load Balancer were affected, compromising services such as Identity-Aware Proxy. Researchers utilized tools like http-garden for local servers and “spray-and-pray” techniques on bug bounty programs for cloud infrastructures to detect such vulnerabilities. Bbscope, another tool, was used to compile extensive target lists for vulnerability research, emphasizing that HTTP Request Smuggling remains a prevalent and under-researched security concern.
A new variant of HTTP request smuggling, known as TE.0, was found to affect Google Cloud’s Load Balancer. This technique, similar to the CL.0 variant but utilizing Transfer-Encoding, facilitated mass 0-click account takeovers on vulnerable systems. Thousands of targets, including those guarded by Google’s Identity-Aware Proxy, fell victim to this vulnerability, particularly among websites set to default HTTP/1.1 rather than HTTP/2.
The discovery of TE.0 HTTP Request Smuggling vulnerability showcases the evolving nature of these techniques and underscores the importance of ongoing security research in cloud infrastructures. This flaw compromised Google’s Load Balancer and bypassed the stringent authentication and authorization measures of Google Identity-Aware Proxy, violating its “never trust, always verify” principle. The vulnerability allowed malicious actions such as site-wide redirects and unauthorized use of application-specific widgets, potentially resulting in severe security breaches.
Though not all TE.0 attacks had dire consequences, they managed to evade IAP protection, prompting Google to acknowledge the issue after initial challenges. This acknowledgment highlighted the complexity of addressing loopholes in cloud infrastructure.
Persistent attempts to exploit HTTP request smuggling techniques revealed a significant vulnerability in Google Cloud’s infrastructure. The research, driven by curiosity and culminating in a valuable lesson in cybersecurity, underscored the importance of creative problem-solving in safeguarding web applications.
In conclusion, the discovery of TE.0 HTTP Request Smuggling vulnerability underscores the ongoing evolution of security threats in cloud infrastructures and the critical need for proactive research and measures to mitigate such risks. Vigilance, creativity, and collaboration are essential in addressing vulnerabilities and protecting online systems from malicious exploitation.