Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

HTTP request smuggling bug patched in mitmproxy

Mitmproxy, an open source, interactive HTTPS proxy service, has patched a dangerous bug that potentially allowed attackers to stage HTTP request smuggling attacks against backend servers.

HTTP request smuggling attacks exploit the inconsistencies between the way intermediary and backend servers process requests to bypass security controls, gain unauthorized access to sensitive data, or compromise other application users.

An elusive bug

Zhang Zeyu, the security researcher who reported the bug, discovered that an attacker could smuggle a request/response through mitmproxy as part of another request/response’s HTTP message body.

“While the more obvious attack vectors (e.g., double Content-Length headers, using Content-Length over Transfer-Encoding) are rare nowadays, more subtle deviations from the standard leave certain setups equally vulnerable to request smuggling,” he told The Daily Swig.

In the case of mitmproxy, an issue with the parsing of whitespace in header names resulted in mitmproxy and a downstream server possibly having different interpretations of HTTP headers.

“Eliminating this type of vulnerability is very tricky as you need different HTTP implementations (proxy and target server) to agree on a common interpretation of HTTP messages,” Maximilian Hils, the maintainer of mitmproxy, told The Daily Swig.

Alternatively, you can make the proxy reject potentially malformed messages, but that would have the drawback of imposing compatibility problems with clients in the wild, Hils said.

“This is not a buffer overflow, which has an obvious fix. There are a lot of nuances here to make sure that intermediary and servers agree,” he said.

HTTP/2 not affected
The bug only works against HTTP/1 services behind mitmproxy, which currently accounts for a very small number of web servers.

HTTP/2, the more commonly used protocol, does not rely on the use of Content-Length and Transfer-Encoding headers to determine where a request body ends.

Instead, a built-in length field is included in each data frame, and when proxies communicate with backends using HTTP/2, there is little ambiguity on the length of each message. Therefore, this particular request smuggling bug would be ineffective against HTTP/2 services.

HTTP/1 services that follow the RFC7230 specification and reject headers with whitespace would also be immune against the request smuggling bug found in mitmproxy. The security bug would also be useless to attackers if the target web application is not vulnerable in some other way.

“From a practical point of view, I’d argue that the impact is non-existent for the vast majority of users,” Hils said. “There are a lot of not-so-common preconditions that need to be met. I’d say quite a few stars need to align for this to have an actual impact in the wild.”

Edge cases
But Zeyu warned that many backend servers still fail to support HTTP/2, including Gunicorn, which serves many Python-based applications. And in many cases, services that support HTTP/2 are not configured to use it between the frontend proxy and the backend servers simply because most clients would not notice the difference, according to Zeyu.

“This means that there are still a lot of web proxy and server configurations that speak HTTP/2 between the client and the proxy but HTTP/1.x between the proxy and the backend, leaving room for HTTP request smuggling attacks to occur,” he said.

Advertisement. Scroll to continue reading.

Irrespective of the debate about its seriousness, the bug has been patched in version 8.0 of mitmproxy.

Source: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-mitmproxy

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO