Vulnerability Details

Severity:

High

Category:

Web Application

Description

Discrepancies in how front-end and back-end servers parse HTTP requests allow attackers to smuggle ambiguous requests, bypassing security controls and interfering with other users' requests.

Risks

An attacker could bypass security controls, gain unauthorized access to sensitive data, poison web caches, hijack other users' requests, or perform cross-site scripting attacks.

Remediation

Ensure consistent HTTP parsing between front-end and back-end servers. Use HTTP/2 end-to-end where possible. Disable connection reuse on back-end connections. Normalize ambiguous requests at the front-end proxy.

References

https://portswigger.net/web-security/request-smuggling

HTTP Request Smuggling