kth.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Attacking Websites Using HTTP Request Smuggling: Empirical Testing of Servers and Proxies
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. (Software Systems Architecture and Security)
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. (Software Systems Architecture and Security)
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. (Software Systems Architecture and Security)ORCID iD: 0000-0002-6762-3662
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. (Software Systems Architecture and Security)ORCID iD: 0000-0003-3089-3885
2021 (English)In: 2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC), Institute of Electrical and Electronics Engineers (IEEE) , 2021, p. 173-181Conference paper, Published paper (Refereed)
Abstract [en]

Securing web servers and proxies is critical for enterprise networks. Such Internet-facing systems make up a significant portion of the remote attack surface and, thus, serve as prime targets. HTTP Request Smuggling (HRS) is a vulnerability that arises when web servers and proxies interpret the length of a single HTTP request differently. In this study, empirical testing was used to find parsing behaviors that could lead to HRS in six popular proxies and six servers. A literature study was conducted to compile a corpus containing requests adopting all known HRS techniques and different variations. A test harness was built to enable the automatic sending of requests and recording of responses. The responses were then manually analyzed to identify behaviors vulnerable to HRS. In total, 19 vulnerable behaviors were found, and by combining the proxies with the servers, two almost full and four full attacks could be performed. At least one behavior that went against the HTTP specification was found in every system tested. However, not all of these behaviors enabled HRS. In conclusion, most proxies had strict parsing and did not accept requests that could lead to HRS. The servers, however, were not so strict.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE) , 2021. p. 173-181
Keywords [en]
Cyber attack, HTTP Request smuggling, website, server, proxy
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-305562DOI: 10.1109/EDOC52215.2021.00028ISI: 000748896900018Scopus ID: 2-s2.0-85123637074OAI: oai:DiVA.org:kth-305562DiVA, id: diva2:1616442
Conference
International Conference on Enterprise Distributed Object Computing (EDOC), 25-29 Oct. 2021, Gold Coast, Australia
Note

QC 20220225

Available from: 2021-12-02 Created: 2021-12-02 Last updated: 2022-06-25Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopushttps://ieeexplore.ieee.org/document/9626191

Authority records

Grenfeldt, MattiasOlofsson, AstaEngström, ViktorLagerström, Robert

Search in DiVA

By author/editor
Grenfeldt, MattiasOlofsson, AstaEngström, ViktorLagerström, Robert
By organisation
Network and Systems Engineering
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 181 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf