Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:45 PM
Connect Directly

Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks

A researcher will release an open source tool at Black Hat Europe next week that roots out server weaknesses to a sneaky type of attack.

A researcher has created a method for testing and identifying how HTTP/HTTPS headers can be abused to sneak malicious code into back-end servers.

Daniel Thatcher, researcher and penetration tester at Intruder, will present his new research on so-called HTTP header-smuggling at Black Hat Europe, in London next week. He also will release a free tool for testing Web servers for weaknesses that could allow an attacker to pull off this Web attack.

HTTP (and HTTPS) headers carry information such as the client's browser, cookies, and IP address, as well as the requested Web page. Thatcher has been studying header-smuggling, which he explains is related to, but not the same as, HTTP request-smuggling attacks.

HTTP request-smuggling attack methods have been studied and well-documented by researchers James Kettle of Portswigger and Amit Klein. With this tactic, an attacker could send Web requests that purposely desynchronize how front-end and back-end Web servers process them, leading to other attack opportunities, such as cross-site scripting.

"Header-smuggling and request-smuggling are separate," but header-smuggling can be used to smuggle a malicious request, Thatcher explains.

Header-smuggling is a technique in which a front-end server sneaks malicious or phony information to the back-end server within the HTTP header, for example.

Thatcher says header-smuggling can be used to exploit other weaknesses in Web applications as well. He plans to demonstrate how header smuggling was used to bypass IP-address restrictions in the AWS API Gateway, resulting in a cache-poisoning exploit. He wouldn't give away any details just yet on the AWS research but says it was a "specific issue" in the AWS gateway.

In his research, Thatcher found HTTP header-smuggling made cache-poisoning easier than it typically can be. This could allow an attacker to overwrite any cached pages with their own content, he says.

"I've developed a methodology which leverages the errors HTTP servers return when an invalid value is provided in the 'Content-Length' header, which typically should be an integer," Thatcher says. "You can then start looking at other headers using this mutation to see if any interesting behavior can be generated by sneaking headers through to the back-end server."

So who's the responsible party to fix or prevent this type of HTTP/HTTPS abuse? 

"That's a really interesting question," Thatcher says. "You've got this situation where two different Web servers from two different organizations combine to create the issue. It's not an issue that they've done anything wrong or messed up. ... It requires a level of cooperation from every Web server."

Not all implementations of the HTTP standards are equal: "The HTTP standards set out fairly strict rules on what a request should look like," he says, but not all Web server developers "stick" with those rules. "A lot of Web servers are very generous in how they pass a request," Thatcher adds.

The good news is his research appears to be ahead of the bad guys — so far, anyway. 

"As far as I know, we've never heard of any of this in the wild," he says. "Not yet."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-23
Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.
PUBLISHED: 2022-05-23
In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on like Full Username, etc .This causes stored xss.
PUBLISHED: 2022-05-23
Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.
PUBLISHED: 2022-05-23
A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
PUBLISHED: 2022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.