Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-27
HTTP Response Smuggling
HTTP response smuggling is a technique to “smuggle” 2 HTTP responses from a server to a client, through an intermediary HTTP device that expects (or allows) a single response from the server.
One use for this technique is to enhance the basic HTTP response splitting technique in order to evade anti- HTTP response splitting measures. In this case, the intermediary is the anti-HTTP response splitting mechanism between the web server and the proxy server (or web browser). This use case is described in . Another use case is to spoof responses received by the browser. In this case a malicious web site serves the browser a page that the browser will interpret as originating from a different (target) domain. HTTP response smuggling can be used to achieve this when the browser uses a proxy server to access both sites. This use case is described (briefly) in .
HTTP response smuggling makes use of HTTP request smuggling -like techniques to exploit the discrepancies between what an anti- HTTP Response Splitting mechanism (or a proxy server) would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser). So, while an anti- HTTP response splitting mechanism may consider a particular response stream harmless (single HTTP response), a proxy/browser may still parse it as two HTTP responses, and hence be susceptible to all the outcomes of the original HTTP response splitting technique (in the first use case) or be susceptible to page spoofing (in the second case). For example, some anti- HTTP response splitting mechanisms in use by some application engines forbid the application from inserting a header containing CR+LF to the response. Yet an attacker can force the application to insert a header containing CRs, thereby circumventing the defense mechanism. Some proxy servers may still treat CR (only) as a header (and response) separator, and as such the combination of web server and proxy server will still be vulnerable to an attack that may poison the proxy’s cache.
Other variants described in the literature include:
- Using LF as a header separator - Using multiple Content-Length headers - Using a combination of Content-Length and Transfer-Encoding - Using SP after the header name
It is important to keep in mind that any discrepancy in the way different HTTP parsers interpret HTTP headers and particularly how they calculate the response’s size can potentially be used for HTTP response smuggling. Therefore, the above list should be considered partial.