English
Contact Us

The Platform

Solutions

Customers

Partners

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

Reveal(x)

The industry's only network detection
and
response platform that delivers the
360-degree
visibility needed to
uncover the cybertruth.

Deployment Model

SaaS-Based Solution >

On-Premises Solution >

Security

Network Detection and Response >

Intrusion Detection System >

Forensics >

Performance

Network Performance Monitoring >

Forensics >
caret-left Back

Solutions

Learn More

Use Cases

Explore By Industry Vertical
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Learn More

Customer Community

Cybersecurity Services

ExtraHop Support
caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Learn More

Work With Us! Become a Partner

Integrations and Automations

Partners
caret-left Back

Blog

Learn More
caret-left Back

About Us

Events & Newsroom

Careers

Resources

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

Contact Us

caret-left Back

Events & Newsroom

Get the latest news and information.

Learn More

Sign Up for a Live Attack Simulation

Upcoming Webinars and Events

caret-left Back

Careers

We believe in what we're doing. Are you ready to join us?

Learn More

Careers at ExtraHop

Search Openings

Connect on LinkedIn

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories & Case Studies

Ransomware Attacks in 2021: A Retrospective

Cyberattack Glossary

Network Protocols Glossary

Documentation

Firmware

Training Videos

HTTP Request Smuggling: Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

HTTP Request Smuggling

What Is HTTP Request Smuggling?

Websites often rely on load balancers, content delivery networks (CDNs), or reverse proxies to manage incoming HTTP requests over a single connection. HTTP request smuggling is a web application attack that takes advantage of inconsistencies in how front-end servers (proxies) and back-end servers process requests from more than one sender.

This can enable an attacker to bypass security controls and gain access to a site administration page, or open doors for other attack techniques such as cross-site scripting (XSS). HTTP request smuggling is sometimes referred to as HTTP desynchronization.

Here's a simple overview of how the attack works: When a server processes an HTTP request, the server determines the length (beginning and end) of the HTTP content by referring to the Content-Length or Transfer-Encoding headers. If both of these headers are present in the same request, they might provide conflicting information. To prevent a conflict, a server will ignore one of the headers.

However, a front-end proxy server might ignore a different header than a back-end server. HTTP request smuggling attacks include both headers in a request, followed by more inbound HTTP requests that are chained together in one HTTP connection. This causes a problem in how front-end and back-end servers determine the beginning and end of each request in the chain. The end of a malicious HTTP request is miscalculated, leaving malicious content unprocessed by one server and then added to the beginning of the next inbound request in the chain.

Examples of HTTP Request Smuggling

Transfer Encoding (TE.TE)

A header is obfuscated in order to prevent either the front-end or back-end server from processing it despite both supporting the Transfer-Encoding header.

Content-Length Transfer-Encoding (CL.TE)

A CL header and TE header are placed in the same HTTP request. The front-end server uses the CL header and ignores the TE header. The back-end server ignores the CL header and uses the TE header.

Transfer-Encoding Content-Length (TE.CL)

A TE header and CL header are placed in the same HTTP request.The front-end server uses the TE header and ignores the CL header. The back-end server uses the CL header and ignores the TE header.

Protection Against HTTP Request Smuggling

Certain IT optimizations can leave systems vulnerable to HTTP smuggling, such as the reuse of back-end server connections. Disabling reuse forces each request to be sent over a separate connection, reducing risk of HTTP desynchronization. Using HTTP/2 on back-end servers may also help mitigate unauthorized requests, as the protocol helps prevent ambiguity. Finally, many web application firewalls may help identify and block inconsistencies in HTTP request traffic, mitigating any potentially smuggled requests. Unfortunately, firewalls may also serve as a mechanism for smuggling.

Detection of HTTP request smuggling attacks can be enhanced using decryption. HTTP request smuggling attacks typically occur against public facing services via HTTPs. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted industry protocols such as TLS.

HTTP Request Smuggling History

HTTP request smuggling was first reported in 2005 in a paper published by the security software provider Watchfire. In 2020, researchers at SafeBreach, (which included Armit Klein, one of the original authors of the Watchfire paper) discovered new variants of the attack that use identical vulnerabilities in both proxy servers and back-end servers. While there are no known proof-of-concept exploits of these newly discovered variants, the consequences of the exploits have been deemed dire for businesses and several software vendors have released patches.

Learn More About Threat Detection Strategy

Learn More