http request smuggling, cause by obfuscating TE header
See original GitHub issueExpected behavior
ignore obfuscating TE header(“Transfer-Encoding : chunked” vs “Transfer-Encoding: chunked”)
Actual behavior
use Transfer-Encoding[space] as Transfer-Encoding
Steps to reproduce
1、topology: client→elb→nettyServer 2、client send a request with both content-length and trunked-encoded[space] 3、elb ignored trunked-encoded[space], but use content-length 4、netty use trunked-encoded[space]
Minimal yet complete reproducer code (or URL to code)
when header field end with space but not colon, shoud the space be ignored? can not found proof in https://greenbytes.de/tech/webdav/rfc7230.html#header.fields.
code in io.netty.handler.codec.http.HttpObjectDecoder#splitHeader
for (nameEnd = nameStart; nameEnd < length; nameEnd ++) { char ch = sb.charAt(nameEnd); if (ch == ':' || <font color="#dd0000">Character.isWhitespace(ch)</font>) { break; } }
Netty version
all
JVM version (e.g. java -version
)
OS version (e.g. uname -a
)
Issue Analytics
- State:
- Created 4 years ago
- Comments:37 (21 by maintainers)
Top Results From Across the Web
Lab: HTTP request smuggling, obfuscating the TE header
This lab involves a front-end and back-end server, and the two servers handle duplicate HTTP request headers in different ways. The front-end server...
Read more >HTTP Request Smuggling: Complete Guide to Attack Types ...
TE :TE smuggling attacks can occur when both the frontend and backend prioritize the TE header. Attackers can insert two TE headers, with...
Read more >What Is HTTP Request Smuggling? | Attack Examples - Imperva
An HTTP request smuggling vulnerability occurs when an attacker sends both headers in a single request. This can cause either the front-end or...
Read more >A Pentester's Guide to HTTP Request Smuggling - Cobalt.io
HTTP request smuggling, obfuscating the TE header ... Smuggle a request to the back-end server and observe that the next request processed by...
Read more >HTTP Request Smuggling - Application Security Cheat Sheet
This leaves the back-end socket poisoned with G . When the legitimate request arrives, it ends up appended onto the G , causing...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
No… 3.x is end of Life forever
Hi,
I am using spring webflux 2.2.2.RELEASE with netty 4.1.43.Final, in an application that has 2 instances and is deployed in kubernetes and I have found this vulnerability when the TE is the first header and this header has a blank before the header name for example [space] Transfer-Encoding: chunked; reviewing the source code on the next line https://github.com/netty/netty/blob/8494b046ec7e4f28dbd44bc699cc4c4c92251729/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java#L766 , blanks at the beginning of the header are excluded and for this reason the request continues and the vulnerability is subsequently presented; I ran this test on Akka Http and in this scenario he sends a 400 mentioning that the header name has an invalid name.
Thank you