WebApp Sec: Can HTTP Request Smuggling be blocked by Web Application Firewalls?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Can HTTP Request Smuggling be blocked by Web Application Firewalls?

From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Tue, 21 Jun 2005 22:24:23 +0200

Yesterday, NetContinuum announced
(http://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=52) that their NC-1000
Application Security Gateway protects against HTTP Request Smuggling.

I find this weird. The essence of HTTP Request Smuggling
(http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) is that two HTTP-aware
devices (e.g. web server and cache/proxy server) interpret the data stream differently.
Now, as long as the attack is aimed at two such devices BEHIND the WAF (Web Application
Firewall, and this analysis pertains to WAFs at large, not just NC-1000), then the WAF
stands a chance of blocking the attack by making sure the HTTP is 100% kosher (which is a
problem in itself, e.g. exploiting the IIS/5.0 48KB bug is arguably consisting of kosher
HTTP, see p. 5/7).

BUT, when the two devices attacked are IN FRONT of the WAF, then the WAF stands very little
chance of blocking the attack, because it's already late in the game.

Even if the attack is aimed at one device in front of the WAF, and one behind the WAF, it's
not trivial for the WAF to block the attack. In some cases, the first device changes the
HTTP stream such that it's impossible to tell that the attack took place. This is the case
with Apache proxy and the Chunked-Encoding vs. Content-Length (p. 12/14). In this case,
Apache takes an HTTP request with both Transfer-Encoding: Chunked and Content-Length: 0,
assembles the body from the chunks, and eliminates the Transfer-Encoding header, resulting
in a fully RFC-compliant HTTP stream.
Even if traces of the attack remain after the first device (e.g. multiple Content-Length
headers, p.10/12), the WAF must drop the HTTP request altogether. It is NOT sufficient to
modify it into a valid HTTP request (e.g. by erasing one of the Content-Length headers),
because it may then choose the "wrong" HTTP header, and in itself facilitate the attack (or
at least not block it).

-Amit

By Date By Thread

Current thread:

Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Daniel (Jun 21)
  - Re: [WEB SECURITY] Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 21)
- Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Andrew van der Stock (Jun 21)
- Message not available
  - Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls? Amit Klein (AKsecurity) (Jun 22)