CAPEC-273
Description
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server). See CanPrecede relationships for possible consequences.
Prerequisites
A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).
Differences in the way the two HTTP agents parse and interpret HTTP responses and its headers.
HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
Mitigations
Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.
Configuration: front-end HTTP agents notice ambiguous requests.
Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.
Configuration: Disable reuse of back-end connections.
Configuration: Use HTTP/2 for back-end connections.
Configuration: Use the same web server software for front-end and back-end server.
Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.
Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.
Configuration: Disallow HTTP messages with both Transfer-Encoding and Content-Length or Double Content-Length Headers.
Configuration: Disallow Malformed/Invalid Transfer-Encoding Headers used in obfuscation, such as: Headers with no space before the value âchunkedâ Headers with extra spaces Headers beginning with trailing characters Headers providing a value âchunkâ instead of âchunkedâ (the server normalizes this as chunked encoding) Headers with multiple spaces before the value âchunkedâ Headers with quoted values (whether single or double quotations) Headers with CRLF characters before the value âchunkedâ Values with invalid characters
Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)
Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.
Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.
Skills Required
[Medium] Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.
[Medium] Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.
[Medium] Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.