Technique could be used to bypass authentication and compromise critical internal applications
Researchers have uncovered a new technique to mount a HTTP header smuggling attack through reverse proxies.
First documented in 2005, HTTP smuggling is a technique used to shunt malicious requests from a front-end server to backend systems. Often critical in nature, attacks using this method rely on servers interpreting requests differently.
In server chains, clashes in interpretation can be abused and lead to security problems, a concept that should be acknowledged by developers as HTTP headers are often used to transfer authentication requests to backend systems.
Loosely speaking there are two types of HTTP request smuggling.
One form involves hiding headers in order to desynchronise internal connections, a focus of research by PortSwigger’s James Kettle and a PortSwigger Research request smuggling topic. This attack is notoriously complex, but it has a serious impact on virtually every target.
Last year, PortSwigger web security researcher James Kettle demonstrated to attendees of Black Hat USA how isolated HTTP requests can be exploited to poison web caches, steal credentials, and desynchronize systems.
The second form of HTTP request smuggling involves hiding headers in order to spoof authentication, the focus of Telekom Security’s research.
This type of attack is comparatively ‘simple’ provided you understand the target system, but it only has a serious impact on websites that rely on header-based authentication.
While performing a server audit, Telekom Security’s Verton documented a smartcard-based authentication method made via an X509 client certificate, together with a front-end reverse proxy that handled the mutual TLS (mTLS) flow and certificate data extraction. Fields were added as additional headers as the request was passed to the backend and this system then authenticated users by way of the passed fields.
Verton noted it was only the presence of a few headers that separated an attacker from potential authentication bypass attempts, and while it is usually recommended that headers be unset to prevent abuse, in some cases, this may be ignored when reverse proxies are in play.
“Depending on the combination of reverse proxy, backend software and even framework used, an attacker passed HTTP header will be normalized and may interfere with ‘filters’ which are set in place,” the researcher said.
Problems by proxy
While Apache and Nginx documentation says that they drop all headers with underscores in them, the developer realized that this does not happen “when requests are passed via ProxyPass on Apache,” as well as when passing requests through a handful of other modules.
In some scenarios, HTTP header names can be spoofed via underscore/dash conflation by way of reverse proxies, and differences in how various frameworks handle header names can be abused to bypass existing authentication mechanisms.
“While Nginx does strip out headers with underscores via the proxy_pass directive -- unless the ‘underscores_in_headers’ feature is enabled -- WSGI frameworks including Django and Flask “assume it’s the reverse proxy’s job to strip out underscore headers,” Verton explained.
In some scenarios, the header CLIENT_VERIFIED can be unset using this tactic. In the cases of PHP and WSGI-based frameworks, if an HTTP header name with hyphens is passed, it will be normalized, a feature that can lead to an authentication bypass.
Not every Apache-mTLS-as-a-reverse-proxy is susceptible to this issue, but some specific headers and configurations could be abused.
Verton explored a variety of potentially problematic configurations in his blog post, noting that some cases could lead to critical security issues.
In theory, account takeovers and authentication bypass may be possible. Attackers could also smuggle headers including X-Forwarded-For, X-Forwarded-Host, and X-Real-Ip, Verton says.
Speaking to The Daily Swig, Verton added that abusing this type of behavior was not hard as it boils down to simply “swapping some characters and adding some headers to a request”.
However, the developer added that it is not always easy to find these kinds of vulnerabilities during blackbox testing because “you don't know what headers are used and what their names are.”
“It's still something devs and DevOp people should know about, because only this way they can prevent this type of bugs,” Verton commented.
In general, the researcher recommends that authentication headers should be set to unset/clear at root, underscores and hyphens should not be used in sensitive HTTP header names, and secrets should be considered in authentication blocks to mitigate the potential damage of HTTP header smuggling.
YOU MIGHT ALSO LIKE Hacking power supplies allows data to be lifted from air-gapped systems