I will show how this led to bypassing of IP restrictions in AWS API Gateway, as well as an easily exploitable cache poisoning issue. Using header smuggling, it is possible to bypass this filtering and send information to the back-end server which it treats as trusted. To provide this information accurately, front-end servers must filter out the values of these headers provided by the client, which are untrusted and cannot be relied upon to be accurate. However, this model is sufficient to understand and develop the attacks presented in this article, as well as most of the recent research into attacking chains of servers.īack-end servers often rely on front-end servers providing accurate information in the HTTP request headers, such as the client's IP address in the "X-Forwarded-For" header, or the length of the request body in the "Content-Length" header. There may be multiple front-end and back-end servers, and front-end and back-end servers are often themselves chains of multiple servers. This model is often a simplification of reality. This is where the application's server-side code runs. A "back-end" server which the front-end server forwards requests to.These servers typically handle caching and load balancing, or act as web application firewalls (WAFs). A "front-end" server which directly handles requests from users.BackgroundĪ chain of HTTP servers used by a web application can often be modelled as consisting of two components: ![]() This paper presents a new technique for identifying header smuggling and demonstrates how header smuggling can lead to cache poisoning, IP restriction bypasses, and request smuggling. Much of this exploration, especially recent request smuggling research, has developed new ways to hide HTTP request headers from some servers in the chain while keeping them visible to others – a technique known as "header smuggling". ![]() The attack surface created by this forwarding is increasingly receiving more attention, including the recent popularisation of cache poisoning and request smuggling vulnerabilities. ![]() Modern web applications typically rely on chains of multiple servers, which forward HTTP requests to one another.
0 Comments
Leave a Reply. |