Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2595

Header Injection -> Request Smuggling

XMLWordPrintable

    • Hide

      1. Start up a basic Undertow server that echoes back the received
      headers and message body (such as the one here:
      https://github.com/narfindustries/http-garden/blob/main/images/undertow/GardenServer.java)
      2. Send it the following payload: `'POST / HTTP/1.1\r\n
      Content-Length: 27\r\nHost: a\r\n\r\nGET / HTTP/1.1\r\nHost:
      a\r\n\r\n'`
      ```
      printf 'POST / HTTP/1.1\r\n Content-Length: 27\r\nHost:
      a\r\n\r\nGET / HTTP/1.1\r\nHost: a\r\n\r\n' | ncat localhost 80
      ```
      3. Observe that the server stripped the spaces from our first header,
      and therefore saw only 1 request in the payload.

      Other web servers either (A) reject this request, or (B) see 2
      requests because they don't strip the whitespace from the first
      header. The discrepancy between Undertow and the servers in category B
      can be used to execute request smuggling attacks.

      Show
      1. Start up a basic Undertow server that echoes back the received headers and message body (such as the one here: https://github.com/narfindustries/http-garden/blob/main/images/undertow/GardenServer.java ) 2. Send it the following payload: `'POST / HTTP/1.1\r\n Content-Length: 27\r\nHost: a\r\n\r\nGET / HTTP/1.1\r\nHost: a\r\n\r\n'` ``` printf 'POST / HTTP/1.1\r\n Content-Length: 27\r\nHost: a\r\n\r\nGET / HTTP/1.1\r\nHost: a\r\n\r\n' | ncat localhost 80 ``` 3. Observe that the server stripped the spaces from our first header, and therefore saw only 1 request in the payload. Other web servers either (A) reject this request, or (B) see 2 requests because they don't strip the whitespace from the first header. The discrepancy between Undertow and the servers in category B can be used to execute request smuggling attacks.

      When Undertow receives a request in which the first header line begins
      with one or more spaces, it strips them before processing the request.
      This is usable as a request smuggling primitive.

      The HTTP RFCs state that when a field-line begins with a space or tab,
      it is permissible to concatenate it into the previous field-line's
      value. This is referred to as `obs-fold` in the RFCs. However, it is
      always invalid to obs-fold on the first line, since there is no
      previous field-line to concatenate into. Thus, the message should be
      rejected.

      (This was reported privately to the security list in March, but no substantive response was received, and the ticket was closed).

              ropalka Richard Opalka
              kenballus Ben Kallus (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: