Love Andren, Junior Application Security Auditor at Outpost24, spoke with IT Security Guru about the emerging threats of HTTP Request Smuggling and HTTP/2 Downgrading, shedding light on the potential consequences and mitigation strategies.
HTTP Request Smuggling is a vulnerability that can be exploited by cybercriminals due to the web server’s allowance of two separate methods for calculating body length, Transfer-Encoding and Content-Length. Love explained that if both methods are sent in a single request, it could cause either the front-end or back-end server to interpret the request incorrectly, leading to a desync in the back-end server. This desynchronization allows an attacker to smuggle a second HTTP request inside the first one, posing a significant security risk. The impact of this exploit ranges from hijacking sessions to bypassing access control and even enabling Cross-Site Scripting attacks.
On the other hand, Love discussed the issue of HTTP/2 Downgrading, where legacy back-end servers exclusively use HTTP/1. This can result in problems when the front-end server accepts headers it shouldn’t, specifying the length of the request. This can lead to scenarios where a HTTP/2 request with a body containing another request, but with a specified body length of “0”, can cause the front-end server to see it as two separate requests when converting to HTTP/1.1, thereby reintroducing request smuggling in HTTP/2 scenarios.
Both of these vulnerabilities can have catastrophic implications for a web application if successfully exploited. Love emphasized the need for organizations and security teams to be aware of these threats and the potential impact they can have. He also highlighted the complexity of the exploit, noting that it might be overlooked in favor of more common and easily executed exploits like XSS or authorization issues.
When asked about the future prominence of these threats, Love expressed uncertainty but underscored the importance of security engineers and ethical hackers becoming more familiar with these complex exploits to mitigate potential attacks and ultimately bring value to their customers.
In terms of mitigation strategies, Love emphasized the need to configure front- and back-end servers to use the same header for determining the length in HTTP/1-based request smuggling. Additionally, blocking ambiguous requests and always checking the body of the request, regardless of the specified length, are important steps. For request smuggling introduced by HTTP/2, enabling end-to-end HTTP/2 communication and blocking requests containing HTTP/1 headers specifying the body’s size were recommended. Love also highlighted the importance of blocking other techniques used in request smuggling attacks, such as CRLF sequence injections.
In conclusion, understanding these vulnerabilities and implementing effective mitigation strategies is crucial for organizations to protect their web applications from potential exploitation and the associated risks. With the guidance and expertise of professionals like Love Andren, security teams can stay ahead of emerging threats and secure their digital assets effectively.