Headline
New HTTP Request Smuggling Attacks Target Web Browsers
Threat actors can abuse weaknesses in HTTP request handling to launch damaging browser-based attacks on website users, researcher says.
BLACK HAT USA – LAS VEGAS – A security researcher who previously demonstrated how attackers can abuse weaknesses in the way websites handle HTTP requests warned that the same issues can be used in damaging browser-based attacks against users.
James Kettle, director of PortSwigger, described his research as shedding new light on so-called desync attacks that exploit disagreements in how a website’s back-end and front-end servers interpret HTTP requests. Previously, at Black Hat USA 2019, Kettle showed how attackers could trigger these disagreements — over things like message length, for instance — to route HTTP requests to a back-end component of their choice, steal credentials, and invoke unexpected responses from an application and other malicious actions. Kettle also has previously shown how HTTP/2 implementation errors can put websites at risk of compromise.
Kettle’s new research focuses on how threat actors can exploit the same improper HTTP request handling issues to also attack website users and steal credentials, install backdoors, and compromise their systems in other ways. Kettle said he had identified HTTP handling anomalies that enabled such client-side desync attacks on sites such as Amazon.com, those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52 and earlier.
The main difference between server-side desync attacks and client-side desync is that the former requires attacker-controlled systems with a reverse proxy front end and at least partly malformed requests, Kettle said in a conversation with Dark Reading following his presentation. A browser-powered attack takes place within the victim’s Web browser, using legitimate requests, he said. Kettle showed a proof-of-concept where he was able to store information such as authentication tokens of random users on Amazon in his shopping list as an example of what an attacker would be able to do. Kettle discovered he could have gotten each infected victim on Amazon’s site to relaunch the attack to others.
“This would have released a desync worm — a self-replicating attack which exploits victims to infect others with no user interaction, rapidly exploiting every active user on Amazon,” Kettle said. Amazon has since fixed the issue.
Cisco opened a CVE for the vulnerability (CVE-2022-20713) after Kettle informed the company about it and described the issue as allowing an unauthenticated, remote attacker to conduct browser-based attacks on website users. “An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled,” the company noted. “A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user.”
Apache identified its HTTP request smuggling vulnerability (CVE-2022-22720) as tied to a failure “to close inbound connection when errors are encountered discarding the request body.” Varnish described its vulnerability (CVE-2022-23959) as allowing attackers to inject spurious responses on client connections.
In a whitepaper released today, Kettle said there were two separate scenarios where HTTP handling anomalies could have security implications,
One was first-request validation, where front-end servers that handle HTTP requests use the Host header to identify which back-end component to route each request to. These proxy servers often have a whitelist of hosts that people are allowed to access. What Kettle discovered was that some front-end or proxy servers only use the whitelist for the first request sent over a connection and not for subsequent requests sent over the same connection. So, attackers can abuse this to gain access to a target component by first sending a request to an allowed destination and then following up with a request to their target destination.
Another closely related but far more frequent issue that Kettle encountered stemmed from first-request routing. With first-request routing, the front-end or proxy server looks at the HTTP request’s Host header to decide where to route the request to and then routes all subsequent requests from the client down to the same back end. In environments where the Host header is handled in an unsafe way, this presents attackers with an opportunity to target any back-end component to carry out a variety of attacks, Kettle said.
The best way for websites to mitigate client-side desync attacks is to use HTTP/2 end-to-end, Kettle said. It’s generally not a good idea to have a front end that supports HTTP/2 and a back end that is HTTP/1.1. “If your company routes employee’s traffic through a forward proxy, ensure upstream HTTP/2 is supported and enabled,” Kettle advised. “Please note that the use of forward proxies also introduces a range of extra request-smuggling risks beyond the scope of this paper.”
Related news
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Gentoo Linux Security Advisory 202208-20 - Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Versions less than 2.4.54 are affected.
Cisco on Wednesday released patches to contain multiple flaws in its software that could be abused to leak sensitive information on susceptible appliances. The issue, assigned the identifier CVE-2022-20866 (CVSS score: 7.4), has been described as a "logic error" when handling RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
A vulnerability in the Clientless SSL VPN (WebVPN) component of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks. This vulnerability is due to improper validation of input that is passed to the Clientless SSL VPN component. An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled. A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.
Ubuntu Security Notice 5474-1 - It was dicovered that Varnish Cache did not clear a pointer between the handling of one client request and the next request within the same connection. A remote attacker could possibly use this issue to obtain sensitive information. It was discovered that Varnish Cache could have an assertion failure when a TLS termination proxy uses PROXY version 2. A remote attacker could possibly use this issue to restart the daemon and cause a performance loss.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0.x, 19.2.1.x 19.3.x, 19.3.0.x, 19.4.x, 19.4.0.x, 19.5.x,19.5.0.x, 19.6 and 19.6.0.1 and 19.6.0.2 contain an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port 5671 which could allow remote attackers to spoof certificates.
Red Hat Security Advisory 2022-4745-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23959: varnish: HTTP/1 request smuggling vulnerability
Apple Security Advisory 2022-05-16-4 - Security Update 2022-004 Catalina addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2022-05-16-3 - macOS Big Sur 11.6.6 addresses bypass, code execution, denial of service, out of bounds access, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.