HTTP request smuggling

HTTP request smuggling is a security exploit on the HTTP protocol that uses inconsistency between the interpretation of Content-Length and/or Transfer-Encoding headers between HTTP server implementations in an HTTP proxy server chain.^[1][2] It was first documented in 2005 by Linhart et al.^[3]

Types[]

This section relies largely or entirely on a single source. Relevant discussion may be found on the talk page. Please help by introducing citations to additional sources. Find sources:  –  ·  ·  · scholar · JSTOR (November 2021)

CL.TE[]

In this type of HTTP request smuggling, the front end processes the request using Content-Length header while backend processes the request using Transfer-Encoding header.^[2]

TE.CL[]

In this type of HTTP request smuggling, the front end processes request using Transfer-Encoding header while backend processes the request using Content-Length header.^[2]

TE.TE[]

In this type of HTTP request smuggling, the front end and backend both process the request using Transfer-Encoding header, but the header can be obfuscated in a way (for example by nonstandard whitespace formatting or duplicate headers) that makes one of the servers but not the other one ignore it.^[2]

Prevention[]

HTTP/2 is not vulnerable to request smuggling attacks as it uses a different method for determining the length of a request. Another method of avoiding the attack is for the frontend server to normalize HTTP requests before passing them to the backend, ensuring that they get interpreted in the same way. ^[2]

References[]

This World Wide Web–related article is a stub. You can help Wikipedia by .

• v
• t