Name HTTP Request Splitting
Summary An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences.
Prerequisites An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection. Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers. HTTP headers capable of being user-manipulated. HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
1 Exploit [Perform HTTP Request Splitting attack] Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
  • Leverage techniques identified in the Experiment Phase.
2 Experiment [Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities] The adversary sends maliciously crafted HTTP requests with custom strings and embedded web scripts and objects in HTTP headers to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.
  • Continue the monitoring of HTTP traffic.
  • Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed: additional HTTP Requests with their own headers malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest) adversary chosen encoding (e.g., UTF-7) to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent. Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.
  • Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.
Solutions Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies. Configuration: front-end HTTP agents notice ambiguous requests. Configuration: back-end HTTP agents reject ambiguous requests and close the network connection. Configuration: Disable reuse of back-end connections. Configuration: Use HTTP/2 for back-end connections. Configuration: Use the same web server software for front-end and back-end server. Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses. Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers) Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process. Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-138 Improper Neutralization of Special Elements
CWE-436 Interpretation Conflict
24 HTTP Request Splitting