[WEB SECURITY] A new whitepaper by Watchfire - HTTP Request Smuggling

Ory Segal osegal at watchfire.com
Mon Jun 6 09:17:55 EDT 2005

Today, Watchfire released a new whitepaper, titled "HTTP Request
Smuggling". The full paper can be found in the following link:

The paper's abstract is copied below: 

"We describe a new web entity attack technique - "HTTP Request
Smuggling". The attack technique and the derived attacks are relevant to
most web environments and is the result of a HTTP server or device's
failure to properly handle malformed inbound HTTP requests. HTTP Request
Smuggling works by taking advantage of the discrepancies in parsing when
one or more HTTP devices/entities (e.g. Cache Server, Proxy Server, Web
Application Firewall, etc.) are in the data flow between the user and
the web server. HTTP Request Smuggling enables various attacks - web
cache poisoning, session hijacking, cross-site scripting and most
serious the ability to bypass web application firewall protection. HTTP
Request Smuggling sends multiple specially-crafted HTTP requests that
cause the two attacked entities to see two different sets of requests,
allowing the hacker to smuggle a request to one device without the other
device being aware of it. In the Web Cache poisoning attack, this
smuggled request will trick the cache server into unintendedly
associating a URL to another URL's page (content), and caching this
content for the URL. In the Web Application Firewall attack the smuggled
request could be a worm (like Nimda or Code Red) or buffer overflow
attack targeting the web server. Finally, because HTTP Request Smuggling
enables the attacker to insert or sneak a request into the flow it
allows the attacker to manipulate the web server's request/response
sequencing which can allow for credential hijacking and other malicious

Thank you,
Ory Segal
Director of Security Research
Watchfire (Israel) LTD.
Tel: +972-9-9586077, Ext.236
Mobile: +972-54-7739359
e-mail: osegal <BLOCKED::mailto:osegal at watchfire.com>  at watchfire.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050606/7a63517d/attachment.html>

More information about the websecurity mailing list