December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 9-7: Preventing HTTP Request Smuggling Attacks
This recipe shows you how to identify when attackers attempt to use path-traversal requests to access unauthorized data.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_generic_attacks.conf
- ModSecurity
- REQUEST_URI variable
- REQUEST_BODY variable
- REQUEST_HEADERS variable
- XML variable
- @rx operator
CAPEC-33: HTTP Request Smuggling
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
Sample Attacks
The following proof-of-concept example shows how HTTP Request Smuggling (HRS) works:
POST /somecgi.cgi HTTP/1.1
Host: www.target.site
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Content-Length: 45
GET /~attacker/foo.html HTTP/1.1
Something: GET /~victim/bar.html HTTP/1.1
Host: www.target.site
Connection: Keep-AliveThis example shows one HTTP request that has two Content-Length ...