You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Goliath allows requests with multiple content-lengths.
When sent a request such as the below, the first content-length header is ignored and the second content-length header is prioritized. Since the second content-length was set to zero, the backend will expect no request body and the /smuggledreq request is treated as another pipelined request.
GET / HTTP/1.1
Content-Length: 46
Content-Length: 0
Host: 127.0.0.1
GET /smuggledreq HTTP/1.1
Host: 127.0.0.1
HTTP/1.1 200 OK
Content-Length: 11
Server: Goliath
Date: Tue, 02 Jun 2020 19:45:59 GMT
hello worldHTTP/1.1 200 OK
Content-Length: 11
Server: Goliath
Date: Tue, 02 Jun 2020 19:45:59 GMT
hello world
Goliath allows multiple malformed variations of the Transfer Encoding header. Depending on how Goliath will be used as part of a chain of servers, this could result in a successful request smuggling attack.
POST / HTTP/1.1
Host: 127.0.0.1:9000
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
tRANSFER-ENCODING: chunked
0
X
Prioritize Transfer-Encoding over Content-Length
Remediation: This remediation will prevent CL:TE and TE:CL attacks
Details: When a request with both a Transfer-Encoding: chunked header and Content-length is received, the transfer-encoding header should be prioritized over Content-Length. This is referenced in RFC 7230 Section 3.3.3#3.
Disallow requests with Double Content-Length
Remediation: This remediation will prevent CL:CL attacks
Details: As mentioned in RFC 7230 Section 3.3.3#4, if a HTTP request is received with multiple content-length headers with different length values, this should be responded with a HTTP 400 response.
Disallow malformed Transfer encoding headers
Remediation: This remediation will prevent TE:TE attacks.
Details: If both a frontend and backend prioritizes the Transfer-Encoding header, it could allow smuggling attacks where an attacker inserts two Transfer-Encoding headers, one which would be ignored by the frontend and is processed by the backend and vice versa. As such, the following type of header variations should be rejected. More examples of header variations can be seen here:https://portswigger.net/web-security/request-smuggling
Disallow requests with both Content-length and Transfer encoding
Remediation: This remediation will prevent CL:TE and TE:CL attacks
Details: This can be seen as a better alternative to “Prioritize Transfer-Encoding over Content-Length” solution. Runtime platforms such as Node.js have used this solution to remediate against request smuggling where any requests with both headers are returned with a HTTP 400 response.
The text was updated successfully, but these errors were encountered:
Posting it here for community patches after talking with the maintainers privately.
Issue: Goliath doesn't prevent Request Smuggling attacks
When sent a request such as the below, the first content-length header is ignored and the second content-length header is prioritized. Since the second content-length was set to zero, the backend will expect no request body and the /smuggledreq request is treated as another pipelined request.
Other examples:
How to fix:
Prioritize Transfer-Encoding over Content-Length
Remediation: This remediation will prevent CL:TE and TE:CL attacks
Details: When a request with both a Transfer-Encoding: chunked header and Content-length is received, the transfer-encoding header should be prioritized over Content-Length. This is referenced in RFC 7230 Section 3.3.3#3.
Disallow requests with Double Content-Length
Remediation: This remediation will prevent CL:CL attacks
Details: As mentioned in RFC 7230 Section 3.3.3#4, if a HTTP request is received with multiple content-length headers with different length values, this should be responded with a HTTP 400 response.
Disallow malformed Transfer encoding headers
Remediation: This remediation will prevent TE:TE attacks.
Details: If both a frontend and backend prioritizes the Transfer-Encoding header, it could allow smuggling attacks where an attacker inserts two Transfer-Encoding headers, one which would be ignored by the frontend and is processed by the backend and vice versa. As such, the following type of header variations should be rejected. More examples of header variations can be seen here:https://portswigger.net/web-security/request-smuggling
Disallow requests with both Content-length and Transfer encoding
Remediation: This remediation will prevent CL:TE and TE:CL attacks
Details: This can be seen as a better alternative to “Prioritize Transfer-Encoding over Content-Length” solution. Runtime platforms such as Node.js have used this solution to remediate against request smuggling where any requests with both headers are returned with a HTTP 400 response.
The text was updated successfully, but these errors were encountered: