New Methods for Request Smuggling

We discussed this vulnerability as part of our weekly podcast on 23 November 2021

This paper successfully looks at applying differential fuzzing to find potential methods of introducing a parsing desync leading to request smuggling.

Much of the recent up-tick in request smuggling issues has been due to a desync between how the entrypoint server such as a load balance, and the backend server parse requests. The content-type and transfer-encoding headers have been the primary focus of these attacks.

What these authors sought to do was to discover other ways of introducing a desync that could result in request smuggling. They did this through differential fuzzing. They created a grammar based fuzzer and then looking for differences between responses when the request was made against different server pairs (differential fuzzing).

While they do detail exactly which server pairs were vulnerable to what type of corruption, I think the mutations themselves (pages 7-8) were the most interesting part of the paper as often you won’t know what servers are involved.

Request Line Mutations

  • Managed Method
  • Distroted Protocol
  • Invalid Version
  • Manipulated Termination
  • Embedded Request Lines

Request Headers Mutations

  • Distorted Header Value
  • Manipulated Termination
  • Expect Header
  • Identity Encoding
  • V1.0 Chunked Encoding
  • Double Transfer-Encoding

Request Body Mutations

  • Chunk-Size Chunk-Data Mismatch
  • Manipulated Chunk-Size Termination
  • Manipulated Chunk-Extension Termination
  • Manipulated Chunk-Data Termination
  • Mangled Last-Chunk

Using these mutations there did find several server pairs that were vulnerable to request smuggling, largely it seemed like Akamai was the odd one out being involved with most of the issues discovered, the results are graphed on page 10.