Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Request Smuggling Hardening #173

Closed
snoopysecurity opened this issue Jun 16, 2020 · 0 comments · Fixed by #190
Closed

HTTP Request Smuggling Hardening #173

snoopysecurity opened this issue Jun 16, 2020 · 0 comments · Fixed by #190

Comments

@snoopysecurity
Copy link

Posting it here for community patches after talking with the maintainers privately.

Issue: tiny-http doesn't prevent Request Smuggling attacks (CE:TL,TL:TL) where a frontend proxy might allow/pass malformed Transfer Encoding headers but tiny-http will normalise them

Steps to Reproduce

POST /login HTTP/1.1
Host: test.local
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: http://dvws.local
Connection: close
Referer: http://test.local/
Upgrade-Insecure-Requests: 1
DNT: 1
Transfer-Encoding : chunked

19
login=admin&password=xxxx
1
Z
Q

In the above example, the request is sent with the Transfer encoding header having extra spaces (Transfer-Encoding : chunked). This is in violation of RFC 7230. tiny-http is normalizing the Transfer-Encoding : chunked header, hence we get the below reponse.

HTTP/1.1 400 Bad Request
Server: tiny-http (Rust)
Date: Tue, 16 Jun 2020 11:13:12 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163

{"description":"could not read the body from the request, or could not execute the CGI program","cause":{"description":"Error while decoding chunks","cause":null}}

More variations of this exist:

Transfer-Encoding: "chunked"
 Transfer-Encoding: chunked
Transfer-Encoding: 'chunked'
Transfer-Encoding: chunk
Transfer-Encoding: chunked�
Transfer-Encoding: chunked�
Transfer-Encoding: �chunked
Transfer-Encoding: �chunked
Transfer-Encoding: �chunked
Transfer-Encoding: chunked�
Transfer-Encoding : chunked
Transfer-Encoding:chunked

You can also use https://github.com/defparam/smuggler to fully check what header variations are allowed.
@snoopysecurity snoopysecurity mentioned this issue Jun 22, 2020
Closed
This was referenced Aug 22, 2020
Closed
Closed
Closed
Open
Open
@github-actions github-actions bot mentioned this issue Nov 13, 2020
Closed
@lucasfernog lucasfernog mentioned this issue Dec 13, 2020
Merged
@therealbstern therealbstern mentioned this issue Jan 2, 2021
Merged
@pinkforest pinkforest mentioned this issue Jul 1, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix RUSTSEC-2020-0031 fortian/tiny-http
1 participant
@snoopysecurity