Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Request Smuggling - Vulnerability Database

Request Smuggling

Description

HTTP Request Smuggling occurs when a reverse proxy or load balancer and the backend web server interpret HTTP request boundaries differently. This parsing inconsistency allows an attacker to inject (or "smuggle") a malicious HTTP request into another user's request stream. The vulnerability typically exploits differences in how systems handle Content-Length and Transfer-Encoding headers, enabling attackers to manipulate request routing and poison the request queue without authentication.

Remediation

To remediate HTTP Request Smuggling vulnerabilities, ensure consistent HTTP parsing across all infrastructure components:

1. Normalize HTTP Parsing Behavior:
- Configure all reverse proxies, load balancers, and backend servers to use the same HTTP parsing library or engine
- Ensure all components handle ambiguous requests identically (reject rather than interpret differently)
- Disable support for both Content-Length and Transfer-Encoding headers in the same request

2. Use HTTP/2 End-to-End:
- Deploy HTTP/2 from the client through all intermediaries to the backend server, as HTTP/2 uses a robust binary framing mechanism that prevents smuggling attacks
- If HTTP/1.1 must be used, ensure downgrade handling is secure

3. Configure Reverse Proxy/Load Balancer Settings:
- Reject requests with both Content-Length and Transfer-Encoding headers
- Reject requests with multiple Content-Length headers
- Normalize ambiguous requests or reject them entirely
- Example configuration for NGINX:

# Reject ambiguous requests
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_request_buffering on;

4. Backend Server Hardening:
- Configure strict HTTP parsing mode on application servers
- Disable tolerance for malformed requests
- Example for Apache Tomcat (server.xml):
<Connector port="8080" protocol="HTTP/1.1"
           allowHostHeaderMismatch="false"
           rejectIllegalHeader="true" />

5. Validation and Testing:
- Regularly test for request smuggling vulnerabilities using specialized tools
- Implement automated testing in CI/CD pipelines to detect configuration drift
- Monitor for suspicious patterns such as unexpected status codes or delayed responses

6. Network Architecture:
- Ensure the reverse proxy and backend server maintain persistent connections (connection reuse) in a controlled manner
- Consider using a single vendor solution for the entire HTTP processing chain to ensure parsing consistency

References

HTTP request smuggling
HTTP Desync Attacks: Request Smuggling Reborn

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Web Cache Poisoning through HTTP/2 pseudo-headers High
Common tags: Configuration
qdPM Information Disclosure High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

High

Classification

CWE-444
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N

Tags

Configuration