Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent Http Request Smuggling in Netty-4.1.96 #13706

Open
AkashMaharana opened this issue Nov 21, 2023 · 2 comments
Open

Prevent Http Request Smuggling in Netty-4.1.96 #13706

AkashMaharana opened this issue Nov 21, 2023 · 2 comments

Comments

@AkashMaharana
Copy link

AkashMaharana commented Nov 21, 2023
edited

Expected behavior

I am working on a application based on Netty. Recently from our security scanner, we got to know that our application is vulnerable to Http Request Smuggling Attack. Post to that I did some exploration on this attack https://portswigger.net/web-security/request-smuggling and identified that this attack can be possible by assigning a crafted message body to a Http Request. To understand the standards of a message body, I checked the RFC doc https://datatracker.ietf.org/doc/html/rfc9112#message.body.length.

So I tried to implement those validations in my project but later find out that these are already handled in Netty wrt addressing couple of vulnerabilities.

As per the vulnerability description and behaviour part of the http request will be processed in the first request and the remaining part will be there in the buffer. The part of the request what was left in buffer is going to be used in the subsequent request to make the attack happen.

I tried to implement a solution by writing a costume Http Request Aggregator where I will read the http request till I received the final chunk then flush the buffer. But I got stuck and the solution is also not working.

Actual behavior

While simulating with the a crafted payload Transfer-Encoding overrides Content-Length and till 0 I get in the first request body. The later part will be there in buffer and will get concatenated to the second request to make the attack happen.

Is there a way to read the http content from http request and clean the buffer after processing of each request in Netty? So that this attack can be prevented? If my understanding is wrong then please let me know how Netty works with buffer.

Any working solution / fix will be greatly appreciated.

Steps to reproduce

Minimal yet complete reproducer code (or URL to code)

Example of the crafted request

`POST /broker/xml HTTP/1.1
Host: burp.ssdevrd.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Connection: keep-alive
Transfer-Encoding: chunked
Content-Length:47

0

GET /portal HTTP/1.0
Host: google.com
X:X`

Netty version

4.1.96

JVM version (e.g. java -version)

JDK17

OS version (e.g. uname -a)
@AkashMaharana
Copy link
Author

@normanmaurer Can you please share your inputs.

@normanmaurer
Copy link
Member

@AkashMaharana can you please share your whole pipeline setup ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@normanmaurer @AkashMaharana