Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->
04:45 PM
Connect Directly

Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks

A researcher will release an open source tool at Black Hat Europe next week that roots out server weaknesses to a sneaky type of attack.

A researcher has created a method for testing and identifying how HTTP/HTTPS headers can be abused to sneak malicious code into back-end servers.

Daniel Thatcher, researcher and penetration tester at Intruder, will present his new research on so-called HTTP header-smuggling at Black Hat Europe, in London next week. He also will release a free tool for testing Web servers for weaknesses that could allow an attacker to pull off this Web attack.

HTTP (and HTTPS) headers carry information such as the client's browser, cookies, and IP address, as well as the requested Web page. Thatcher has been studying header-smuggling, which he explains is related to, but not the same as, HTTP request-smuggling attacks.

HTTP request-smuggling attack methods have been studied and well-documented by researchers James Kettle of Portswigger and Amit Klein. With this tactic, an attacker could send Web requests that purposely desynchronize how front-end and back-end Web servers process them, leading to other attack opportunities, such as cross-site scripting.

"Header-smuggling and request-smuggling are separate," but header-smuggling can be used to smuggle a malicious request, Thatcher explains.

Header-smuggling is a technique in which a front-end server sneaks malicious or phony information to the back-end server within the HTTP header, for example.

Thatcher says header-smuggling can be used to exploit other weaknesses in Web applications as well. He plans to demonstrate how header smuggling was used to bypass IP-address restrictions in the AWS API Gateway, resulting in a cache-poisoning exploit. He wouldn't give away any details just yet on the AWS research but says it was a "specific issue" in the AWS gateway.

In his research, Thatcher found HTTP header-smuggling made cache-poisoning easier than it typically can be. This could allow an attacker to overwrite any cached pages with their own content, he says.

"I've developed a methodology which leverages the errors HTTP servers return when an invalid value is provided in the 'Content-Length' header, which typically should be an integer," Thatcher says. "You can then start looking at other headers using this mutation to see if any interesting behavior can be generated by sneaking headers through to the back-end server."

So who's the responsible party to fix or prevent this type of HTTP/HTTPS abuse? 

"That's a really interesting question," Thatcher says. "You've got this situation where two different Web servers from two different organizations combine to create the issue. It's not an issue that they've done anything wrong or messed up. ... It requires a level of cooperation from every Web server."

Not all implementations of the HTTP standards are equal: "The HTTP standards set out fairly strict rules on what a request should look like," he says, but not all Web server developers "stick" with those rules. "A lot of Web servers are very generous in how they pass a request," Thatcher adds.

The good news is his research appears to be ahead of the bad guys — so far, anyway. 

"As far as I know, we've never heard of any of this in the wild," he says. "Not yet."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-04
A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this...
PUBLISHED: 2023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3...
PUBLISHED: 2023-02-04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...