{"vuid":"VU#357312","idnumber":"357312","name":"HTTP Request Smuggling in Web Proxies","keywords":null,"overview":"### Overview\r\nHTTP web proxies and web accelerators  that support HTTP/2 for an HTTP/1.1 backend webserver are vulnerable to HTTP Request Smuggling. \r\n\r\n### Description\r\nThe affected systems allow invalid characters such as carriage return and newline characters in HTTP/2 headers. When an attacker passes these invalid contents to a vulnerable system,  the forwarded HTTP/1 request includes the unintended malicious data. This is commonly known as HTTP Request Splitting. In the case of HTTP web proxies, this vulnerability can lead to HTTP Request smuggling, which enables an attacker to access protected internal sites.  \r\n\r\n### Impact\r\nAn attacker can send a crafted HTTP/2 request with malicious content to bypass network security measures, thereby reaching internal protected servers and accessing sensitive data. \r\n\r\n### Solution\r\n#### Apply updates\r\nInstall vendor-provided patches and updates to ensure malicious HTTP/2 content is blocked or rejected as described in [RFC 7540 (Section 8.1.2.6)](https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.6) and [RFC 7540 (Section 10.3)](https://datatracker.ietf.org/doc/html/rfc7540#section-10.3).  Both \"request\" and \"response\" should be  inspected by the web proxy and rejected in accordance with Stream Error Handling as described in  [RFC 7450 (Section 5.4.2)](https://datatracker.ietf.org/doc/html/rfc7540#section-5.4.2). \r\n\r\n#### Inspect and block anomalous HTTP/2 traffic \r\nIf HTTP/2 is not supported, block the protocol on the web proxies to avoid abuse of HTTP/2 protocol.  Where HTTP/2 is supported, enforce strict rules for HTTP header checks to ensure malicious headers are normalized or rejected.  \r\nChecks of this type include:\r\n* HTTP Headers with invalid Header name or value\r\n* HTTP Headers with invalid or no content-length\r\n* Unsupported or invalid HTTP methods\r\n\r\n#### Test and verify your web proxy\r\nScan your public web server proxy with OWASP recommended [tests](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling) to ensure your web servers are not vulnerable to abuse via HTTP response splitting.\r\n\r\n### Acknowledgements\r\nThanks to the reporter James Kettle of [PortSwigger](https://portswigger.net/research/http2) for the information about this vulnerability.\r\n\r\nThis document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://portswigger.net/research/request-smuggling","https://datatracker.ietf.org/doc/html/rfc7540","https://portswigger.net/research/http2","https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling"],"cveids":[],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-08-06T12:23:44.852491Z","publicdate":"2021-08-06T12:23:44.237148Z","datefirstpublished":"2021-08-06T12:23:44.875069Z","dateupdated":"2021-08-12T11:44:33.207712Z","revision":3,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":52}