CAPEC-274: HTTP Verb Tampering
Description
Extended Description
In the maliciously manipulated HTTP response, an adversary can add duplicate header fields that HTTP agents interpret as belonging to separate responses.
The combined HTTP response ends up being parsed or interpreted as two or more HTTP responses by the targeted client HTTP agent. This allows malicious HTTP responses to bypass security controls. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.
This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]
Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.
This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
This differs from CAPEC-33 HTTP Request Smuggling, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Smuggling is an attempt to compromise aclient agent (e.g., web browser).
HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.
Severity :
Medium
Possibility :
Type :
Detailed
Relationships with other CAPECs
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Prerequisites
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- The targeted system must attempt to filter access based on the HTTP verb used in requests.
Skills required
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Taxonomy mappings
Mappings to ATT&CK, OWASP and other frameworks.
Resources required
The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server.
Related CWE
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.
Visit http://capec.mitre.org/ for more details.