Identifying HTTP Request Smuggling attacks

By Paladion

October 26, 2006

HTTP requests go through various applications like Cache, proxy, firewall etc. before reaching to the web server. An attacker sends multiple specially-crafted HTTP requests which cause the intermediate entities between the attackers browser and web server to see different sets of requests.What type of attack is this?

  1. Cross Site Tracing attack
  2. HTTP Request Smuggling attack
  3. Cross site Request forging attack
  4. SQL Injection attack

The  correct answer is HTTP Request Smuggling attack

Why not option 1: Cross Site Tracing attack also abbreviated as XST is a variation of the Cross site scripting attack(XSS) wherein the attacker steals cookie information of a user by making the user click on a link that contains a script. The script reads the cookies of the user and sends it to the attacker by email. Since the browser executes the script while rendering the link, the attacker gets the desired information. XST attack is useful against application which use HTTPOnly cookies which do not allow scripts to read the cookie information directly. XST exploit the HTTP trace method of the web server , Suppose an attacker sends the user a link with a TRACE request and a script. When the user clicks on the link, a TRACE request along with the cookie information for the site is sent to the server. Now the server will send back the cookie information and the script to the browser. If the script contains the code to mail the information to the attacker, the sensitive information gets stolen.

Why not option 3: Cross-site request forgery, also known as one click attack or session riding and abbreviated as CSRF or XRSF is a technique to spoof requests on behalf of other users. It exploits cookie based session management feature of e-commerce websites to send fraudulent requests on behalf of valid users. This attack is possible because the session token used by the application for managing user sessions is available in the cookie that is sent automatically by the browser making the adversary’s work easy. The modus operandi of the adversary is to lure the victim via an email or inviting him to his website to click a carefully crafted link that say places an order on behalf of the victim in the e-commerce website, the browser will also append the session cookie set by the e-commerce website when the user logged into the application. The pre-requisite of this type of attack is that victim must be logged into the web application.

Why not option 4: SQL Injection is a type of attack where an attacker crafts his input carefully to mislead the application into executing them as SQL statements. The attack exploits dynamic sql queries used by the application. The attack consists of an SQL input (like ‘ OR 1=1) which change the existing  query structure to either get hold of data in the backend database or simply login to the application.

HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, are in the data flow between the user and the web server.Attacker sends multiple specially-crafted HTTP requests which cause the two entities to see different sets of requests. This result into smuggle a request to one device without the other device being aware of it.. In the web cache poisoning attack, this smuggled request will trick the cache server into unintentionally associating a URL to another URL’s page (content), and caching this content for the URL. The attacker sends 3 different requests like

Request 1: POST request for
Request 2: GET request for
Request 3: GET request for

With the second request malformed in such a way that the Proxy or cache server will parse Request 1 and Request 3 and consider Request 2 as content, and web server will parses Request 1 and Request 2 and send a response for these requests. This results in cache server caching the response for request 2 from the webserver under URL for request 3. Thus resulting in its cache being “poisoned”. So when a normal user requests for, the cache server responds with the page for

For further illustration, refer to the Palisade Sept 2006 article on HTTP Request Smuggling.

Tags: Quiz