Open
Description
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
Steps to reproduce the vulnerability
- The hacker send a request with both "[space]Transfer-Encoding: chunked" header and "Content-Length" header.
- The legitimate user send a normal request
- The ELB (Elastic load balancer) send first the request of hacker to Netty and consecutively thr normal request.
- Netty decodes request by incorrect TE ([space]Transfer-Encoding: chunked") sending to hacker the response that corresponds until null byte and send to legitimate user the response of chunked request from hacker.
- Attack Payload
- Normal request
- Processing of netty
Metadata
Metadata
Assignees
Labels
No labels


