Vulnerability Could Expose HAProxy to HTTP Request Smuggling Attack | eSecurityPlanet – eSecurity Planet

A critical vulnerability discovered in the open-source load balancer and proxy server HAProxy could enable bad actors to launch an HTTP Request Smuggling attack, which would let them bypass security controls and gain unauthorized access to sensitive data.

Researchers with JFrog Security uncovered the vulnerability, CVE-2021-40346, during their regular searches for new and previously unknown vulnerabilities in popular open-source projects. HAProxy fits into that category.

HAProxy is a widely used tool designed for high-traffic websites and used by many companies. It also ships with most mainstream Linux distributions and is often deployed by default in cloud platforms.

In a blog post, JFrog researchers Ori Hollander and Or Peles said they worked with HAProxy’s maintainers to create a verified fix.

HTTP Request Smuggling

Through the vulnerability, an attacker could “smuggle” HTTP requests to a back-end server without the proxy server being aware of it, the researchers said. Not only could this enable the cybercriminals to bypass security controls – such as any ACLs defined in HAProxy, which enables users to perform such functions as defining custom rules for blocking malicious requests, choosing backends and redirecting to HTTPS – but also access sensitive data, execute unauthorized commands, modify data, hijack user sessions and exploit a reflected XSS (cross-site scripting) vulnerability without user interaction.

The vulnerability has a severity rating of 8.6 on the CVSS scoring system.

“HTTP request smuggling is a vulnerability type that has gained widespread community attention due to numerous high-paying bug bounty reports over the last few months,” JFrog CTO Asaf Karas told eSecurity Planet. “Not only is it gaining traction, but its impact can be detrimental depending on the configuration of the servers behind the proxy. Security leaders would be wise to review how they utilize HAProxy in their environment to evaluate if they are vulnerable, especially if they use HAProxy as a reverse proxy.”

The researchers wrote that the vulnerability was fixed in versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4 of HAProxy. The fixes in these versions add size checks for the name and value lengths, the researchers wrote.

In addition, organizations that can’t upgrade to any of the new versions can add the following lines to HAProxy’s configuration:

http-request  deny if { req.hdr_cnt(content-length) gt 1 }

http-response deny if { res.hdr_cnt(content-length) gt 1 }

Those unsure of the version they’re running can use software composition analysis (SCA) tools like JFrog’s Xray to determine the version in use and whether artifacts are affected by the vulnerability.

Increasingly Common Web Architecture

According to web application testing and scanning vendor PortsWigger, in an increasingly common architecture, modern web apps often use chains of HTTP servers between users and the application logic. Users send requests to a front-end server – a load balancer or reverse proxy – which then forwards requests to one or more back-end servers.

“When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection, because this is much more efficient and performant,” PortWigger officials wrote in an explainer on its site. “The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins.”

http smuggling

The HAProxy load balancer’s key job is proxying HTTP requests coming in from a user to a back-end server, the JFrog researchers wrote. The HTTP request handling logic can be viewed in two phases: the initial parsing and further processing, which is simplified and focused on the Content-Length header.

New Use for Old Attack Technique

HTTP Request Smuggling is an attack technique that came to light in 2005 and is designed to interfere with the processing of HTTP requests between the front-end server – in this case, HAProxy – and the back-end server, according to JFrog. Cybercriminals typically use the technique to send a specially crafted request that includes an additional request in the body of the request. The inner request is smuggled through the front-end server – which the researchers said considers the inner request as simply the body of the entire request – and taken as a normal request by the back-end server.

“In most cases, the smuggling technique is done by supplying both the Content-Length and Transfer-Encoding headers with contradicting lengths in the same request and aiming for parsing inconsistencies between the frontend and backend servers,” Hollander and Peles wrote. “In our case, however, the attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request – specifically – in the logic that deals with Content-Length headers.”

What makes this kind of attack possible is that “when the frontend server forwards HTTP requests to the backend, it uses the same established TCP connection instead of wasting time on opening and closing sockets,” they wrote. “The requests are sent back-to-back and it is up to the backend server to decide where a request ends and the next one begins.”

Shachar Menashe, senior research director at JFrog, said it’s important for organizations to “make sure administrative web endpoints and sensitive materials are guarded behind robust authentication mechanisms, instead of simple ACL rules in an external proxy or firewall. Additionally, logged HTTP traffic should always be available to administrative users only – regardless which part of the HTTP request is logged— in order to avoid exposing unintended parts of an HTTP request to potential attackers.”

Further reading: Open Source Security: A Big Problem

Source of this news:

Related posts:

Scrape And Compare eCommerce Products Using Proxy Scraper -
@scrapingdogmanthanFounder of, & flightapi.ioIn this post, we are going to learn web scraping with python. Using python we are going to Scrape websites like Walmart, ...
Fix Discord app won’t open in Windows 11/10 computer - TWCN Tech News
As a PC gamer, you may have encountered a couple of Discord errors on your Windows 10 or Windows 11 gaming rig. One of the issues you may experience is when you try to launch Discord, the app won’t j...
ATO attacks increased 307% in between 2019 and 2021 simply just Help Net Security
Sift freed a report which details currently the evolving methods fraudsters apply to launch account takeover (ATO) attacks as opposed to consumers and businesses. Any report details a sophisticate...
Good Tennessee vaccine official relates she was fired previously mentioned shots for teens : Baltimo...
As in much of the is actually, Tennessee’s virus outlook is carrying improved significantly since the the winter months, when cases soared. Inside the past two weeks, the number of unveiled repor...
virus? windows updates and important security updates are not installing - Virus, Trojan, Spyware, a...
I was told to post this here via a topic I posted previously. Logs are attached to that post as well as new logs posted here. Also note that the computer that I mentioned in my previous post that had...
Dallas Invents: 129 Patents Granted for Week of March 2 » Dallas Innovates -
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
The Times of India: Latest News India, World & Business News, Cricket & Sports, Bollywood - ...
This Privacy Policy (“Policy”) describes the information which Times Internet Limited (“We”, “Us”, “Our” “Services”, “Company”) collects from you when you download, access, or use its Website or Mobi...
Why Dedicated Proxies Should Be On Your Proxy List - Shout Out UK
Dedicated proxies are private proxies assigned for exclusive use by one user or device at a time. All proxies serve the main purpose of hiding the identity of a user by masking his IP address. They a...
The DDoS Threat On IoT Devices Like Routers - TheNationRoar
Source: Storage limitations and network capacity leave simple IoT, Internet of Things, devices such as routers highly vulnerable to cyber-criminals. Distributed Denial-of-Service, DDoS ...
Dallas Invents: 119 Patents Granted for Week of April 27 » Dallas Innovates -
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
How To Utilise A VPN With phone - BollyInside
This tutorial is about the How To Utilise A VPN With phone. We will try our best so that you understand this guide. I hope you like this blog How To Utilise A VPN With phone. If your answer is yes th...
Best Proxies for the United Kingdom - About Manchester
Internet may seem like a great place to find and browse content, but there is no guarantee that while you are doing it, nobody is watching you. Hackers can place malware anywhere on the internet and...
Chinese miners are back in action.What implications does this have on Bitcoin mining difficulty? – C...
Bitcoin is undoubtedly an asset that offers many advantages over fiat money, such as the decentralization of its production. However, it is no secret to anyone that there are regions of the world whe...
What Are Cookies? And How To Clear Them? - Fossbytes
If you have been on the Internet long enough, you might have heard about cookies once in a while. But what exactly is a cookie? Do they our data? How can we delete them? Here we will try to answer ea...
10 Reasons to Protect your IP Address - TechBullion
Everyone tends to ignore it, but everything you do online may be tracked. This is how snoopers and authorities are able to keep track of what you’ve been looking for on the internet as wel...
Network Error Code: 4206 on Genshin Impact - TheWindowsClub
Network Error Code 4206 on Genshin Impact appears when trying to launch the game as it is failing to connect to the server. The following are the complete error message that you see when the error co...
Dallas Invents: 149 Patents Granted for Week of Aug 3 » Dallas Innovates -
Dallas Invents is a weekly look at U.S. patents granted with a connection to the Dallas-Fort Worth-Arlington metro area. Listings include patents granted to local assignees and/or those with a N...
Gadgets Administrator at Headhunters quick IT-Online
Our client headquartered in Durban is currently looking to use a Systems Administrator. Main intent being the position: The System Administrator Role can be a technical position that require...

IP Rotating Proxy Onsale


First month free with coupon code FREE30