CAPEC - CAPEC-33: HTTP Request Smuggling (Version 3.9)


CAPEC Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks	New to CAPEC? Start Here

Home > CAPEC List > CAPEC-33: HTTP Request Smuggling (Version 3.9)

CAPEC-33: HTTP Request Smuggling

Attack Pattern ID: 33

Abstraction: Detailed

View customized information:

Description

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

Extended Description

A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls.

This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]

Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.

This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise a back-end HTTP agent via HTTP Request messages.

HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.

Alternate Terms

Term: HTTP Desync

Modification/manipulation of HTTP message headers, request-line and body parameters to disrupt and interfere in the interpretation and parsing of HTTP message lengths/boundaries for consecutive HTTP messages by HTTP agents in a HTTP chain or network path.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	220	Client-Server Protocol Manipulation
PeerOf	Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	273	HTTP Response Smuggling
CanPrecede	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	63	Cross-Site Scripting (XSS)
CanPrecede	Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	115	Authentication Bypass
CanPrecede	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning
CanPrecede	Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	148	Content Spoofing
CanPrecede	Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	154	Resource Location Spoofing
CanPrecede	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	593	Session Hijacking

Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
Techniques
Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Techniques
Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

Techniques
Continue the monitoring of HTTP traffic.
Utilize various combinations of HTTP Headers within a single HTTP Request such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded requests or data in the body of the original request are unprocessed and treated as part of subsequent requests by the intended target HTTP agent. From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences. For CL;TE and TE;CL HTTP header combinations, the first HTTP agent, in the HTTP message path that receives the HTTP request, takes precedence or only processes one header but not the other, while the second/final HTTP agent processes the opposite header, allowing for embedded HTTP requests to be ignored and smuggled to the intended target HTTP agent. For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation (see Mitigations for details) of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP requests to be smuggled. .
Construct a very large HTTP request using multiple Content-Length headers of various data lengths that can potentially cause subsequent requests to be ignored by an intermediary HTTP agent (firewall) and/or eventually parsed separately by the target HTTP agent (web server). Note that most modern HTTP infrastructure reject HTTP requests with multiple Content-Length headers.
Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

Perform HTTP Request Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
Techniques
Leverage techniques identified in the Experiment Phase.

Techniques
Leverage techniques identified in the Experiment Phase.

Prerequisites

An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.

Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.

HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.

Skills Required

[Level: Medium]

Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.

[Level: Medium]

Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.

[Level: Medium]

Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.

Resources Required

Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses.

Indicators

Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.

Consequences

Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Confidentiality Integrity Availability	Execute Unauthorized Commands
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.

Configuration: front-end HTTP agents notice ambiguous requests.

Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.

Configuration: Disable reuse of back-end connections.

Configuration: Use HTTP/2 for back-end connections.

Configuration: Use the same web server software for front-end and back-end server.

Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.

Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.

Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.

Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as:

Headers with no space before the value "chunked"
Headers with extra spaces
Headers beginning with trailing characters
Headers providing a value "chunk" instead of "chunked" (the server normalizes this as chunked encoding)
Headers with multiple spaces before the value "chunked"
Headers with quoted values (whether single or double quotations)
Headers with CRLF characters before the value "chunked"
Values with invalid characters

Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)

Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.

Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.

Example Instances

When using Haproxy 1.5.3 version as front-end proxy server with with Node.js version 14.13.1 or 12.19.0 as the back-end web server it is possible to use two same header fields for example: two Transfer-Encoding, Transfer-Encoding: chunked and Transfer-Encoding: chunked-false, to bypass Haproxy /flag URI restriction and receive the Haproxy flag value, since Node.js identifies the first header but ignores the second header. See also: CVE-2020-8287

When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276

Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0". See also: CVE-2005-2088

Related Weaknesses

Section HelpA Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Notes

Relationship

HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against.

Terminology

HTTP Splitting – "the act of forcing a sender of (HTTP) messages to emit data stream consisting of more messages than the sender’s intension. The messages sent are 100% valid and RFC compliant" [REF-117].

Terminology

HTTP Smuggling – "the act of forcing a sender of (HTTP) messages to emit data stream which may be parsed as a different set of messages (i.e. dislocated message boundaries) than the sender’s intention. This is done by virtue of forcing the sender to emit non-standard messages which can be interpreted in more than one way" [REF-117].

Taxonomy Mappings

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
26	HTTP Request Smuggling

References

[REF-38] "HTTP 1.1 Specification (RFC 2616)". IETF RFC. <http://www.ietf.org/rfc/rfc2616.txt>.

[REF-117] "HTTP Response Smuggling". Beyond Security. <http://www.securiteam.com/securityreviews/5CP0L0AHPC.html>.

[REF-617] "OWASP Web Security Testing Guide". The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html>.

[REF-672] Robert Auger. "HTTP Request Smuggling". The Web Application Security Consortium. 2010-01. <http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling>. URL validated: 2021年10月06日.

[REF-673] Dzevad Alibegovic. "HTTP Request Smuggling: Complete Guide to Attack Types and Prevention". NeuraLegion. 2021年08月23日. <https://www.neuralegion.com/blog/http-request-smuggling-hrs/>. URL validated: 2021年10月06日.

[REF-674] Busra Demir. "A Pentester’s Guide to HTTP Request Smuggling". Cobalt. 2020年10月15日. <https://cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling>. URL validated: 2021年10月06日.

[REF-678] Edi Kogan and Daniel Kerman. "HTTP Desync Attacks in the Wild and How to Defend Against Them". Imperva. 2019年10月29日. <https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/>. URL validated: 2021年10月06日.

[REF-681] James Kettle. "HTTP Desync Attacks: Request Smuggling Reborn". PortSwigger. 2019年08月07日. <https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn>. URL validated: 2021年10月06日.

[REF-682] "HTTP request smuggling". PortSwigger. <https://portswigger.net/web-security/request-smuggling>. URL validated: 2021年10月06日.

[REF-683] "Finding HTTP request smuggling vulnerabilities". PortSwigger. <https://portswigger.net/web-security/request-smuggling/finding>. URL validated: 2021年10月06日.

[REF-684] "Exploiting HTTP request smuggling vulnerabilities". PortSwigger. <https://portswigger.net/web-security/request-smuggling/exploiting>. URL validated: 2021年10月06日.

Content History

Submissions
Submission Date	Submitter	Organization
2014年06月23日 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014年06月23日 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017年08月04日 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017年08月04日 (Version 2.11)	Updated Related_Attack_Patterns, Resources_Required
2018年07月31日 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018年07月31日 (Version 2.12)	Updated References
2020年07月30日 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020年07月30日 (Version 3.3)	Updated Related_Weaknesses
2020年12月17日 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020年12月17日 (Version 3.4)	Updated References, Taxonomy_Mappings
2021年10月21日 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021年10月21日 (Version 3.6)	Updated @Status, Alternate_Terms, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required
2022年09月29日 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022年09月29日 (Version 3.8)	Updated Alternate_Terms, Description, Extended_Description

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


MITRE	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| CAPEC on Twitter CAPEC on LinkedIn CAPEC on YouTube CAPEC Out-of-Bounds-Read Podcast CAPEC Blog on Medium Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.	HSSEDI

Common Attack Pattern Enumeration and Classification

CAPEC-33: HTTP Request Smuggling