Request Smuggling & Cache

HTTP Request Smuggling (H1): CL.TE / TE.CL / TE.TE Severity: Critical | CWE: CWE-444 OWASP: A05:2021 – Security Misconfiguration PortSwigger Research: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn What Is HTTP Request Smuggling? Modern web architectures use a chain of HTTP processors: a frontend (CDN, load balancer, reverse proxy) that forwards requests to a backend server. These processors must agree on where each HTTP request ends and the next begins. HTTP/1.1 allows two ways to specify body length: ...

HTTP/2 Rapid Reset (CVE-2023-44487) Severity: High (DoS) | CWE: CWE-400 OWASP: A05:2021 – Security Misconfiguration What Is HTTP/2 Rapid Reset? HTTP/2 Rapid Reset is a DoS amplification technique that exploits the HTTP/2 stream multiplexing mechanism. In HTTP/2, a client can open multiple concurrent streams on a single TCP connection and cancel them immediately with a RST_STREAM frame — before the server has finished processing them. The attack pattern: Client sends HEADERS frame (initiates a request on stream N) Client immediately sends RST_STREAM frame (cancels stream N) Repeat at high rate — the server must still process each HEADERS frame before seeing the reset The server incurs full request parsing and dispatch cost per stream. The client incurs almost none — it resets before receiving any response. This asymmetry is the amplification vector. ...

HTTP/2 Request Smuggling Severity: Critical | CWE: CWE-444 OWASP: A02:2021 – Cryptographic Failures / A05:2021 – Security Misconfiguration What Is HTTP/2 Smuggling? HTTP/2 uses a binary framing layer with explicit frame lengths — there is no Content-Length or Transfer-Encoding ambiguity within a true HTTP/2 connection. Smuggling occurs at the H2→H1 downgrade boundary: a front-end proxy accepts HTTP/2 but forwards to a back-end over HTTP/1.1. Two main attack variants: H2.CL — Front-end ignores HTTP/2 framing length, uses attacker-supplied Content-Length to forward to backend. Backend processes CL but sees extra bytes as a new request. H2.TE — Front-end strips Transfer-Encoding header received in H2, but attacker-supplied TE header survives downgrade. Backend sees chunked encoding → processes smuggled prefix. H2.0 — HTTP/2 cleartext (h2c) upgrade smuggling (CONNECT-based tunnel abuse) Key difference from H1 smuggling: HTTP/2 headers are pseudo-headers (:method, :path, :scheme, :authority) — injecting newlines in header values can create entirely new HTTP/1.1 headers after downgrade. ...

Web Cache Deception Severity: High | CWE: CWE-200, CWE-346 OWASP: A01:2021 – Broken Access Control What Is Web Cache Deception? Unlike cache poisoning (attacker poisons cache to affect other users), cache deception tricks the cache into storing a victim’s private, authenticated response as a public, cacheable resource — then the attacker retrieves it. Normal: GET /account/profile → private, authenticated → Cache-Control: no-store Trick: GET /account/profile.css → server ignores .css, serves profile page CDN caches because .css extension → marked as static asset Attacker: GET /account/profile.css → CDN returns cached victim profile Key requirement: path routing that ignores the appended path/extension, combined with a cache that uses file-extension-based caching rules. ...

Web Cache Poisoning Severity: High–Critical | CWE: CWE-346, CWE-116 OWASP: A05:2021 – Security Misconfiguration What Is Web Cache Poisoning? A cache stores responses keyed by URL + headers. Poisoning works by injecting malicious content into a cached response that is then served to all users requesting the same URL. Key concept: cache key (what identifies a unique cache entry) vs unkeyed inputs (headers/params that affect the response but aren’t in the cache key). ...