Uncover the Secret Hack: How HTTP Request Smuggling Can Break the Internet

July 18, 2024

Researchers argue HTTP Request Smuggling is under-researched and propose two methods for finding new vulnerabilities: fuzzing tools like http-garden for public servers and bug bounty/VDP programs for undisclosed stacks.

Fuzzing isn’t ideal for cloud providers’ custom tech stacks, so researchers recommend sending payloads to bug bounty programs that offer legal hacking opportunities and a broad attack surface. The bbscope tool can be used to automate fetching bug bounty program scopes for efficient target identification.

The experimentation with HTTP/1.1 smuggling techniques revealed a gap in documented attack methods. Existing techniques exploit discrepancies between how front-end and back-end servers interpret Content-Length and Transfer-Encoding headers (CL.TE, TE.CL, TE.TE, CL.0).

A potential new attack vector (TE.0) has been identified where the back-end server ignores the Transfer-Encoding header entirely, similar to how some back-ends disregard Content-Length (CL.0), which could be a novel way to manipulate request parsing and potentially bypass security controls.

Security researchers identified a TE.0 smuggling vulnerability in a major bank’s main API. By sending a malicious payload with null values through Burp Suite Intruder, they were able to redirect logged-in users to a collaborator server.

This redirection process also leaked the users’ session tokens as a side effect, which allowed them to achieve a mass 0-click account takeover, compromising user accounts without any user interaction required.

A new HTTP request smuggling vulnerability through a bug bounty program allows attackers to bypass authentication and potentially access sensitive data.

Further investigation revealed that the vulnerability resided within the Google Cloud Load Balancer, specifically configured to use HTTP/1.1 by default. While not all GCP hosts were vulnerable, a significant number using the outdated HTTP protocol were impacted.

Google Cloud Platform’s Identity-Aware Proxy (IAP) enforces Zero Trust principles by authenticating users, authorizing access based on identity and group membership, and controlling access to web applications and resources. IAP acts as a gatekeeper, verifying user credentials and permissions before granting access.

When IAP is deployed behind a Google Load Balancer vulnerable to request smuggling, attackers can bypass IAP’s authorization process altogether, rendering its security measures ineffective and potentially exposing sensitive data.

Researchers at BugCrowd discovered a new HTTP request smuggling vulnerability (TE.0) that could be exploited to achieve critical impacts like site-wide redirection by leveraging application-specific gadgets and techniques used in other smuggling attacks.

To exploit TE.0, researchers recommend setting the chunk length in hex format, adding two empty lines after the final chunk, disabling automatic content-length adjustments, and experimenting with different HTTP methods.

When they notified Google of the vulnerability, the search engine giant acknowledged it and paid the researchers a bounty after some back and forth.