User:BrandonS23/sandbox

First document in 2005 by Linhart et al.^[1] , HTTP request smuggling is a security exploit on the HTTP protocol that takes advantage of an inconsistency between the interpretation of Content-Length and/or Transfer-Encoding headers between HTTP server implementations in an HTTP proxy server chain.^[2]^[3] The Transfer-Encoding header works by defining a directive on how to interpret the body of the HTTP request, with the common and necessary directive for this attack being the Chunked transfer encoding.^[4] When the Transfer-Encoding header is present, the Content-Length header is supposed to be omitted.^[4] Working similarly but with a different syntax, the Content-Length header works by specifying the size in bytes of the body as a value in the header itself. ^[5] Vulnerabilities arise when both of these headers are included in a malicious HTTP request, bypassing security functions meant to prevent malicious HTTP queries to the server by causing either the front-end or back-end server to incorrectly interpret the request. ^[6] HTTP request smuggling commonly takes the form of CL.TE, TE.CL, or TE.TE, although more complex attacks using HRS do exist. ^[6]

Types[edit]

CL.TE[edit]

In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.^[3] The attack would be carried out with the first part of the request declaring a zero length chunk. ^[6] The front end server seeing this would only read the first part of the request and unintentionally pass the second part to the back end server. ^[6] Once passed through to the back end server, it would be treated as the next request and processed, carrying out the attackers hidden request. ^[6]

TE.CL[edit]

In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.^[3] In this attack, a hacker would declare the valid length of the first chunk, which houses the malicious request and then declare a second chunk with a length of 0. ^[6] When the front end server sees the second chunk with a length of 0 it believes the request to be complete and passes it along to the back end server. ^[6] The back end server processes the request using the Content-Length header, however, and as a result the malicious request left in the first chunk go unprocessed until they are treating as being at the start of next request in the sequence and are carried out. ^[3]

TE.TE[edit]

In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a way (for example by nonstandard whitespace formatting or duplicate headers) that makes one of the servers but not the other one ignore it.^[3] Obscuring the header may take the form of adding in an incorrect character, such as Transfer-Encoding: xchunked, or an unusual new line character between 'Transfer-Encoding' and ': chunked'. ^[6] If one of the front of back end servers still processes these obfuscated HTTP requests, then the rest of the attack will be similar to how CL.TE or TE.CL attacks work. ^[6]

Prevention[edit]

The best prevention to these attacks would clearly be if front end and back end servers interpreted HTTP requests the same way. However, this is usually not an option as load balancers that support backed servers run on distinct platforms, meaning you cannot run the same software on both the front end and the back end. ^[6] A way to prevent against most variants of this attack is by using HTTP/2 as it is not vulnerable to most request smuggling attacks, using a different method for determining the length of a request. Another method of avoiding the attack is for the frontend server to normalize HTTP requests before passing them to the backend, ensuring that they get interpreted in the same way. ^[3] Configuring a web application firewall is another good way to prevent HRS attacks as many feature technology that identify attack attempts and either blocks or sanitize the suspicious incoming requests.^[6]

References[edit]

^ Linhart, Chaim; Klein, Amit; Heled, Ronen; Orrin, Steve (2005). "HTTP request smuggling" (PDF).
^ "CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)". cwe.mitre.org. Retrieved 2020-03-13.
^ ^a ^b ^c ^d ^e ^f "What is HTTP request smuggling? Tutorial & Examples | Web Security Academy". portswigger.net. Retrieved 2020-03-13.
^ ^a ^b "Transfer-Encoding". developer.mozilla.org. Retrieved 2022-12-15.
^ "Content-Length". developer.mozilla.org. Retrieved 2022-12-15.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k "HTTP Request Smuggling". imperva.com. Retrieved 2022-12-15.

Category:Web security exploits Category:Hypertext Transfer Protocol headers

This World Wide Web–related article is a stub. You can help Wikipedia by expanding it.

This is the user sandbox of BrandonS23. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here.

Other sandboxes: Main sandbox | Template sandbox

Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Audience Centric Model[edit]

Writing in Liberalism Divided published in 1996, Owen Fiss talks of the imperativeness that in public discourse, some need to be silenced so that other ideas can be heard. In Fiss' view, Freedom of Speech is not about the right of the speaker to speak but instead the audience to hear all ideas with value. To achieve this, Fiss acknowledges that the government must take on the role of a parlitarlian and silence those whose speech pushes other's ideas of value out of public discourse. In this line of thinking, it is public debate that is protected. While there are certainly merits to the ability to participate in speech, Fiss argues that the collective good of the right to free speech is realized through the audience and not the speaker.

Fiss observes that in today's world this is line of thought can be applied heavily to the way our media operates. With a relatively few 'speakers' (i.e. channels like CBS and ABC) having a majority of the audience, it is important that the government regulate their control and ensure that all ideas can make it to the marketplace of ideas where they can then be crushed or supported by the people.

Campaign finance reform[edit]

Fiss' view is aptly applied in the political sphere and has substantial significance in this context. Because of this, he is an advocate of strong regulation of political campaigns:

We may sometimes find it necessary to "restrict the speech of some elements of our society in order to enhance the relative voice of others," and that unless the [Supreme] Court allows, and sometimes even requires the state to do so, we as a people will never truly be free.^[1]

^ Bradley A. Smith, "The Myth of Campaign Finance Reform", National Affairs, Winter 2010

[HRS-1] Linhart, Chaim; Klein, Amit; Heled, Ronen; Orrin, Steve (2005). "HTTP request smuggling" (PDF).

[2] "CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.0)". cwe.mitre.org. Retrieved 2020-03-13.

[portswigger1-3] ^ ^a ^b ^c ^d ^e ^f "What is HTTP request smuggling? Tutorial & Examples | Web Security Academy". portswigger.net. Retrieved 2020-03-13.

[mozillatransfer-4] "Transfer-Encoding". developer.mozilla.org. Retrieved 2022-12-15.

[mozillacontentlength-5] "Content-Length". developer.mozilla.org. Retrieved 2022-12-15.

[imperva-6] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k "HTTP Request Smuggling". imperva.com. Retrieved 2022-12-15.

[7] Bradley A. Smith, "The Myth of Campaign Finance Reform", National Affairs, Winter 2010

[1]

[2]

[3]

[4]

[5]

[6]

[1]