Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond

Presented at Black Hat Europe 2021, Nov. 10, 2021, 2:30 p.m. (30 minutes).

Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers. Research in recent years has shown how flawed implementations of these actions can lead to severe security vulnerabilities such as HTTP request smuggling, authentication bypasses, and cache poisoning. Recent request smuggling research has developed new ways to modify headers to abuse these flawed implementations, a technique known as "header smuggling". While often overlooked, when explored as its own technique header smuggling can be used to trigger interesting and exploitable behaviours in web applications.

I will present a new methodology for identifying how HTTP headers can be modified to achieve header smuggling using a small number of requests. I will then show how this methodology was used to bypass IP address restrictions in AWS API Gateway, and to achieve cache poisoning. I will also demonstrate how to safely detect request smuggling vulnerabilities based on multiple "Content-Length" headers ("CL.CL" request smuggling) in black-box scenarios. The tooling developed for this research will be released to help others identify new vulnerabilities using this methodology.

This methodology allows for much more extensive testing of HTTP headers and values which trigger exploitable behaviour from back-end servers. Vulnerabilities which are not widely searched for as they have previously taken an impractically large number of requests to find can now be easily identified.


Presenters:

  • Daniel Thatcher - Researcher and Penetration Tester, Intruder
    Daniel Thatcher is a researcher and penetration tester at Intruder. His research focuses on discovering new techniques in application security.

Links:

Similar Presentations: