Hello,
Today, Watchfire released a new whitepaper, titled "HTTP Request
Smuggling". The full paper can be found in the following link:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
<BLOCKED::http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf>
The paper's abstract is copied below:
"We describe a new web entity attack technique – “HTTP Request
Smuggling”. The attack technique and the derived attacks are relevant
to most web environments and is the result of a HTTP server or
device’s failure to properly handle malformed inbound HTTP requests.
HTTP Request Smuggling works by taking advantage of the discrepancies
in parsing when one or more HTTP devices/entities (e.g. Cache Server,
Proxy Server, Web Application Firewall, etc.) are in the data flow
between the user and the web server. HTTP Request Smuggling enables
various attacks – web cache poisoning, session hijacking, cross-site
scripting and most serious the ability to bypass web application
firewall protection. HTTP Request Smuggling sends multiple
specially-crafted HTTP requests that cause the two attacked entities
to see two different sets of requests, allowing the hacker to smuggle
a request to one device without the other device being aware of it. In
the Web Cache poisoning attack, this smuggled request will trick the
cache server into unintendedly associating a URL to another URL’s page
(content), and caching this content for the URL. In the Web
Application Firewall attack the smuggled request could be a worm (like
Nimda or Code Red) or buffer overflow attack targeting the web server.
Finally, because HTTP Request Smuggling enables the attacker to insert
or sneak a request into the flow it allows the attacker to manipulate
the web server’s request/response sequencing which can allow for
credential hijacking and other malicious outcomes."
Thank you,
*Ory Segal
*/Director of Security Research/
Watchfire (Israel) LTD.
Tel: +972-9-9586077, Ext.236
Mobile: +972-54-7739359
e-mail: osegal <BLOCKED::mailto:osegal@xxxxxxxxxxxxx> at watchfire.com