This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Prevent HTTP request smuggling

Posted on 05-11-2021 07:56 PM
systemsdevelopm
New Member
Reply posted on --/--/---- --:-- AM

An external audit of our APIs has revelled that we're vulnerable to an HTTP Request Smuggling attack, where a maliciously crafted request contains both a Content-Length and Transfer-Encoding:Chunked header, or two Content-Length headers. This can result in two requests being sent to the target.


Is there a known solution to this?

1 8 1,080
Topic Labels
8 REPLIES 8

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

if you are seeing two content-length headers, then you can restrict the same with request validation in a javascript and reject if duplicate headers are there. Also you can use same in flowhook if you want to implement for all the proxies.

ref: https://community.apigee.com/questions/11561/known-workaround-for-duplicate-header-issue.html

Posted on --/--/---- --:-- AM
systemsdevelopm
New Member
In response to
Reply posted on --/--/---- --:-- AM

Thank you. I haven't used much javascript in my proxies, can you give me a hint on how to read the raw request, then I'll parse it for a bad header set. Since this is a well known attack I was kind of hoping there would be a simple button to press so Apigee would scan for malformed requests on the way in

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I would not solve this with JS.

Is it as simple as adding a condition wrapping a raisefault?

<Step>
  <Name>RF-InvalidRequest</Name>
  <Condition>request.header.content-length != null AND request.header.transfer-encoding != null</Condition>
</Step>

And then to check if there is more than one content-length header the corresponding condition is

request.header.content-length.values.count GreaterThan 1

Get more information on the variables at this documentation page.

Ideally put these two checks in a SharedFlow and attach it to a flowhook so that all APIs get this check automatically enforced.

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I would suggest this if only one or two duplicate headers are there. If you want to check for more numbers of headers and dynamically get the header name, then you can use javascript.

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

Yes, the HTTP Smuggling attack focuses on just these specific headers.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for confirming. I did implement the duplicate header removal in one proxy using js earlier.

Posted on --/--/---- --:-- AM
systemsdevelopm
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

That looks like it makes sense. I've applied it now and the audit team are trying it out. Thank you

Posted on --/--/---- --:-- AM
Craig_Stanton
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

This method passed the audit on development. However now that I've waited a few months and pushed it to production, they've discovered Apigee must be doing something in this area as we now only see one of the two combined requests getting to our proxies. I'm guessing Apigee is intercepting and separating the requests then only sending the first one through. Which is great, except sometimes the second request generates a 400 Bad Request response. So I'm going to find a way to file a bug report with Google

0 Likes