CAPEC-105: HTTP Request Splitting

Description
<p>An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).<p><p>See CanPrecede relationships for possible consequences.<p>
Extended Description

This entails the adversary injecting malicious user input into various standard and/or user defined HTTP headers within a HTTP Request through user input of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters and unique character encoding. This malicious user input allows for web script to be injected in HTTP headers as well as into browser cookies or Ajax web/browser object parameters like XMLHttpRequest during implementation of asynchronous requests.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.

This differs from CAPEC-34 HTTP Response Splitting, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Splitting is an attempt to compromise aback-end HTTP agentvia HTTP Request messages.

HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.

Severity :

High

Possibility :

Medium

Type :

Detailed
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.
  • Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
  • HTTP headers capable of being user-manipulated.
  • HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.
  • Medium Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.
  • Medium Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Tools capable of crafting malicious HTTP messages and monitoring HTTP messages responses.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 24, 2024 13:19