Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond

The presentation discusses various techniques for smuggling headers and requests through to the back end of servers, including HTTP 2 to 81 downgrades, cache poisoning, and CL.CL request smuggling. The speaker also addresses assumptions made in their research and provides references for further reading.

• Smuggling research focused on HTTP 2 to 81 downgrades and new ways to sneak headers through to the back end
• Cache poisoning allows an attacker to overwrite responses in a cache with their own controlled value
• CL.CL request smuggling involves using two content length headers to affect other users' requests
• Assumptions made in the research include different errors from front and back end servers, all headers being passed the same, and all servers passing the content length header
• References are provided for further reading

The speaker demonstrates how an attacker can use cache poisoning to target a victim using CloudFront or any other caching proxy, overwriting responses in their cache with any value completely under the attacker's control.

Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers. Research in recent years has shown how flawed implementations of these actions can lead to severe security vulnerabilities such as HTTP request smuggling, authentication bypasses, and cache poisoning. Recent request smuggling research has developed new ways to modify headers to abuse these flawed implementations, a technique known as "header smuggling". While often overlooked, when explored as its own technique header smuggling can be used to trigger interesting and exploitable behaviours in web applications.I will present a new methodology for identifying how HTTP headers can be modified to achieve header smuggling using a small number of requests. I will then show how this methodology was used to bypass IP address restrictions in AWS API Gateway, and to achieve cache poisoning. I will also demonstrate how to safely detect request smuggling vulnerabilities based on multiple "Content-Length" headers ("CL.CL" request smuggling) in black-box scenarios. The tooling developed for this research will be released to help others identify new vulnerabilities using this methodology.This methodology allows for much more extensive testing of HTTP headers and values which trigger exploitable behaviour from back-end servers. Vulnerabilities which are not widely searched for as they have previously taken an impractically large number of requests to find can now be easily identified.