HTTP request smuggling bug patched in mitmproxy – The Daily Swig

Bug exploited inconsistencies between intermediary and backend servers

Mitmproxy has resolved a bug that potentially allowed attackers to stage HTTP request smuggling attacks

Mitmproxy, an open source, interactive HTTPS proxy service, has patched a dangerous bug that potentially allowed attackers to stage HTTP request smuggling attacks against backend servers.

HTTP request smuggling attacks exploit the inconsistencies between the way intermediary and backend servers process requests to bypass security controls, gain unauthorized access to sensitive data, or compromise other application users.

An elusive bug

Zhang Zeyu, the security researcher who reported the bug, discovered that an attacker could smuggle a request/response through mitmproxy as part of another request/response’s HTTP message body.

“While the more obvious attack vectors (e.g., double Content-Length headers, using Content-Length over Transfer-Encoding) are rare nowadays, more subtle deviations from the standard leave certain setups equally vulnerable to request smuggling,” he told The Daily Swig.

BACKGROUND HTTP request smuggling: HTTP/2 opens a new attack tunnel

In the case of mitmproxy, an issue with the parsing of whitespace in header names resulted in mitmproxy and a downstream server possibly having different interpretations of HTTP headers.

“Eliminating this type of vulnerability is very tricky as you need different HTTP implementations (proxy and target server) to agree on a common interpretation of HTTP messages,” Maximilian Hils, the maintainer of mitmproxy, told The Daily Swig.

Alternatively, you can make the proxy reject potentially malformed messages, but that would have the drawback of imposing compatibility problems with clients in the wild, Hils said.

“This is not a buffer overflow, which has an obvious fix. There are a lot of nuances here to make sure that intermediary and servers agree,” he said.

HTTP/2 not affected

The bug only works against HTTP/1 services behind mitmproxy, which currently accounts for a very small number of web servers.

HTTP/2, the more commonly used protocol, does not rely on the use of Content-Length and Transfer-Encoding headers to determine where a request body ends.

Instead, a built-in length field is included in each data frame, and when proxies communicate with backends using HTTP/2, there is little ambiguity on the length of each message. Therefore, this particular request smuggling bug would be ineffective against HTTP/2 services.

Catch up on the latest security research news and analysis

HTTP/1 services that follow the RFC7230 specification and reject headers with whitespace would also be immune against the request smuggling bug found in mitmproxy. The security bug would also be useless to attackers if the target web application is not vulnerable in some other way.

“From a practical point of view, I’d argue that the impact is non-existent for the vast majority of users,” Hils said. “There are a lot of not-so-common preconditions that need to be met. I’d say quite a few stars need to align for this to have an actual impact in the wild.”

Edge cases

But Zeyu warned that many backend servers still fail to support HTTP/2, including Gunicorn, which serves many Python-based applications. And in many cases, services that support HTTP/2 are not configured to use it between the frontend proxy and the backend servers simply because most clients would not notice the difference, according to Zeyu.

“This means that there are still a lot of web proxy and server configurations that speak HTTP/2 between the client and the proxy but HTTP/1.x between the proxy and the backend, leaving room for HTTP request smuggling attacks to occur,” he said.

Irrespective of the debate about its seriousness, the bug has been patched in version 8.0 of mitmproxy.

YOU MAY ALSO LIKE Apple Safari empowers developers to mitigate web flaws with WebKit CSP enhancements

Source of this news: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-mitmproxy

Related posts:

Malicious Python packages employ advanced detection evasion techniques - Help Net Security
JFrog researchers have discovered 11 malicious Python packages on PyPI, the official third-party package repository for Python, which have been collectively downloaded over 41,000 times. This is not...
Review: Group-IB Fraud Hunting Platform - Help Net Security - Help Net Security
Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging....
Protect Your Internet Privacy With These Top VPN Deals - Futurism
A virtual private network (VPN) helps protect your privacy by routing all your internet traffic through an encrypted connection to a remote server. However, each VPN has its own tools and features to...
Apple’s Moves to Tighten Flow of User Data Leave Advertisers Anxious - The Wall Street Journal
Digital advertisers are studying new Apple Inc. measures that they fear will limit access to data about users, changes industry participants see as an escalation of the tech giant’s crackdown in the ...
Form 10-12B TRANS GLOBAL GROUP, INC. - StreetInsider.com
Get inside Wall Street with StreetInsider Premium. Claim your 1-week free trial here. File No.                 &...
The best Protect Your Privacy As you're watching Movies Online - BBN Times
Seeing as streaming services like Netflix and Hulu become more sought after, people are watching more dvds and TV shows online previously. Actually offers a lot of conveniences, it additionally...
Install Code-Server for VS code on Ubuntu 22.04 or 20.04 LTS - Linux Shout
Code Server is an open-source project to program on VS Code but using a web browser. Here we learn the command to install Code Server on Ubuntu 22.04 Jammy JellyFish or 20.04 Focal Fossa. VS Code...
Fix Error Code BLZBNTAGT00000BB8 on Battle.net Launcher - TWCN Tech News
Here is a full guide on how you can fix the error code BLZBNTAGT00000BB8 on Battle.net Launcher. Battle.net is a desktop game launcher that lets you install, update, and play games from Battle.net ga...
Good Tennessee vaccine official relates she was fired previously mentioned shots for teens : Baltimo...
As in much of the is actually, Tennessee’s virus outlook is carrying improved significantly since the the winter months, when cases soared. Inside the past two weeks, the number of unveiled repor...
MECHANIC TALK WITH MIKE: Use CloudFlare to speed up your business article - Goshen News
There are three key elements who will be important when finding a hosting server for your business website: speed, security and scalability. The best website can boost website positioning, impro...
Something's wrong with the proxy server, or the adress is incorrect. - Service Providers - BleepingC...
As the title may suggest, i have problems with my internet connection, everytime i open a website that's all i see.I have already looked for many solutions on the internet and tried anything i can f...
Fix Discord app won’t open in Windows 11/10 computer - TWCN Tech News
As a PC gamer, you may have encountered a couple of Discord errors on your Windows 10 or Windows 11 gaming rig. One of the issues you may experience is when you try to launch Discord, the app won’t j...
HashiCorp Previews Updates to Consul Service Mesh - DevOps. com
During an online HashiConf Global conference, HashiCorp now made available a beta of an update to its own open source Consul service fine mesh for potencial machines and Kubernetes clusters that...
How to Use Windscribe VPN in 2021: Easy Steps & Pricing Guide - Cloudwards
It’s hard to come by a VPN (virtual private network) that’s both free and trustworthy. Fortunately, Windscribe is one of those VPNs. In this tutorial, we’ll go over how to use Windscribe VPN, so you...
Ebooks, books that mattered to me this winter - The Cancer Flex letter
Skip for navigation Skip to content Subscription Change Our change will be effective at once and your card will be recharged a prorated amount dependent upon your ex...
Deutsche Bank AG (DB) Q3 2021 Earnings Call Transcript - The Motley Fool
Image source: The Motley Fool. Deutsche Bank AG (NYSE:DB)Q3 2021 Earnings CallOct 27, 2021, 7:00 a.m. ETContents: Prepared Remarks Questions and Answers Call Participants Prepared Rema...
Atomos May Put Broadcasters Out of Business After Showcasing Cloud Indagine at NAB 2022 understandin...
Atomos often is previewing Cloud Studio, the most current cloud-based workflow for livestreamers, filmmakers, and content producers, at NAB 2022.   The marriage between Atomos and Mavis has a...
International Action Targets Emotet Crimeware – Krebs on Security - Krebs on Security
Authorities across Europe on Tuesday said they’d seized control over Emotet, a prolific malware strain and cybercrime-as-service operation. Investigators say the action could help quarantine more tha...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30