Skip to content

HTTP Request Smuggling in Netty - 4.1.43.Final #1

Open
@jdordonezn

Description

@jdordonezn

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.

Steps to reproduce the vulnerability

  1. The hacker send a request with both "[space]Transfer-Encoding: chunked" header and "Content-Length" header.
  2. The legitimate user send a normal request
  3. The ELB (Elastic load balancer) send first the request of hacker to Netty and consecutively thr normal request.
  4. Netty decodes request by incorrect TE ([space]Transfer-Encoding: chunked") sending to hacker the response that corresponds until null byte and send to legitimate user the response of chunked request from hacker.
  • Attack Payload

1

  • Normal request

2

  • Processing of netty

3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions