Security Best Practice: Protecting against HTTP Request Smuggling Attacks

HTTP Request Smuggling is a new hacking technique that targets Web servers when used in conjunction with certain application gateway and proxy servers (e.g firewall, cache).

A remote attacker can send multiple HTTP requests with specially crafted HTTP headers (e.g a request with both "Transfer encoding: Chunked" header and "Content-Length" header) to the target server via the proxy or gateway server. The attacker bases this attack on the fact that the requests may be interpreted differently by the target server than by the proxy or gateway server. This enables an attacker to smuggle a request to one device without the other device being aware of it.

HTTP Request Smuggling enables various attacks including Web cache poisoning, credential hijacking, cross-site scripting and the ability to bypass Web application firewall protection.

Several companies have recently been reported to be vulnerable to HTTP request smuggling attacks. IBM WebSphere 5.1 and WebSphere 5.0, Oracle 9i Application Server 9.0.2, Sun SunONE web server 6.1 SP1, Microsoft ISA 2000 Server SP2 and BEA Systems WebLogic 8.1 SP1 are considered vulnerable.

HTTP request smuggling attacks can occur is several scenarios. In the scenario of Web cache poisoning attack, a smuggled HTTP request will trick the cache server into unintentionally associating a URL to another URL’s page (content), and caching this content for the URL. When a Web application firewall is targeted, the smuggled request can be a worm (like Nimda or Code Red) or buffer overflow attack targeting the Web server. Since HTTP Request Smuggling enables the attacker to insert a request into the flow, it allows the attacker to manipulate the Web server’s request/response sequencing which can allow for credential hijacking.

Users of VPN-1 NG with Application Intelligence R55W and users of VPN-1 NGX R60 are preemptively protected against this vulnerability. Web Intelligence will block HTTP requests with multiple Content-Length headers with different values, including  requests with both "Transfer encoding: Chunked" header and "Content-Length" header. This is enforced by Enforce strict HTTP request parsing (enabled by default):



Note: By disabling this option, SmartDefense will allow multiple content-length headers that share the same value.  

Users of VPN-1 NGX R60 can further protect their systems by enabling Max request body length which is the maximum length allowed for the body of the HTTP request. The default value is 49152 bytes. The body includes everything after the header section.

To verify that the protection is enabled (users of VPN-1 NGX R60):

1. On the Web Intelligence navigation tree, click HTTP Protocol Inspection > HTTP Format Sizes.
2. In the HTTP Format Sizes screen, enable Max request body length.

3. install security policy on all modules.