Http Request Smuggling in Feathersjs with Dynamodb
Http Request Smuggling in Feathersjs with Dynamodb — how this specific combination creates or exposes the vulnerability
HTTP request smuggling arises when an API processes HTTP requests in a way that causes a mismatch between what the frontend (e.g., a load balancer or reverse proxy) and the backend interpret as the end of a request. In a Feathersjs + DynamoDB setup, the risk typically occurs at the integration layer: Feathersjs services receive untrusted HTTP input, and if the service logic or transport misparses message boundaries, an attacker can craft requests that cause the frontend and backend to disagree on request framing.
Feathersjs is a JavaScript framework for building APIs quickly; it does not inherently parse or normalize HTTP-level framing issues. When Feathersjs is placed behind a proxy (common in production) and also uses DynamoDB as a backend data store, certain patterns increase exposure:
- Chunked transfer encoding misuse: If Feathersjs or an intermediate component processes requests with Transfer-Encoding: chunked but does not strictly validate chunk boundaries before passing data to downstream handlers, an attacker can send smuggled requests that the proxy terminates while the Feathersjs service interprets additional requests as belonging to the original connection.
- Content-Length vs Transfer-Encoding confusion: A request that provides both Content-Length and Transfer-Encoding headers can be interpreted differently by frontend proxies versus the Feathersjs HTTP server, leading to request splitting where one logical request is treated as multiple requests by different layers.
- Custom transports and adapters: Feathersjs allows custom transports. If a transport implementation directly interfaces with DynamoDB using low-level HTTP clients without normalizing headers, it may forward or interpret requests in a way that exposes parsing ambiguities to the backend service.
Because DynamoDB stores and retrieves data based on the application’s request parsing, smuggling can lead to unauthorized operations (e.g., one request performing two logical operations, one of which writes or reads sensitive data). Attack outcomes may include data leakage or unintended writes, depending on how the Feathersjs service maps parsed requests to DynamoDB operations.
To detect this specific combination, middleBrick scans the unauthenticated attack surface of your Feathersjs endpoint and checks for inconsistencies in how requests are interpreted across frontend and backend layers, including header handling and chunked encoding behavior.
Dynamodb-Specific Remediation in Feathersjs — concrete code fixes
Remediation focuses on strict header handling, avoiding ambiguous framing, and ensuring that Feathersjs services normalize requests before they reach DynamoDB operations. Below are concrete patterns and code examples for a Feathersjs service that safely interacts with DynamoDB.
1. Enforce strict header parsing and reject ambiguous requests at the Feathersjs hook layer.
// src/hooks/validate-headers.js
module.exports = function validateHeaders() {
return async context => {
const headers = context.headers || {};
// Reject requests that provide both Content-Length and Transfer-Encoding
if (headers['content-length'] !== undefined && headers['transfer-encoding'] !== undefined) {
throw new Error('Invalid headers: Content-Length and Transfer-Encoding must not both be present');
}
// Normalize transfer-encoding to lowercase for consistent checks
if (headers['transfer-encoding']) {
const te = headers['transfer-encoding'].toLowerCase();
if (te !== 'chunked') {
throw new Error('Unsupported transfer-encoding');
}
}
context.headers = headers;
return context;
};
};
2. Use a stable HTTP client for any backend calls (e.g., when your Feathersjs service calls other services before DynamoDB) and avoid forwarding suspicious framing.
// src/clients/dynamodb-client.js
const { DynamoDBClient, GetItemCommand, PutItemCommand } = require('@aws-sdk/client-dynamodb');
const client = new DynamoDBClient({ region: 'us-east-1' });
async function safeGetItem(tableName, key) {
const command = new GetItemCommand({
TableName: tableName,
Key: key
});
const response = await client.send(command);
return response.Item || null;
}
async function safePutItem(tableName, item) {
const command = new PutItemCommand({
TableName: tableName,
Item: item
});
const response = await client.send(command);
return response;
}
module.exports = { safeGetItem, safePutItem };
3. Add a Feathersjs hook that validates content-length consistency for JSON payloads before they reach service methods that write to DynamoDB.
// src/hooks/validate-content-length.js
module.exports = function validateContentLength() {
return async context => {
const { method, data, headers } = context;
if (method !== 'find' && method !== 'get' && data != null) {
const contentLength = headers['content-length'];
if (contentLength !== undefined) {
const calculated = Buffer.byteLength(JSON.stringify(data), 'utf8');
if (calculated !== Number(contentLength)) {
throw new Error('Content-Length mismatch');
}
}
}
return context;
};
};
4. Configure your Feathersjs server to reject requests with malformed chunked encoding before they reach business logic. This is typically done at the underlying HTTP server or framework configuration; ensure your adapter enforces strict parsing.
5. Apply these hooks to your Feathersjs service definitions:
// src/services/orders/orders.hooks.js
const validateHeaders = require('./hooks/validate-headers');
const validateContentLength = require('./hooks/validate-content-length');
module.exports = function () {
this.app.service('orders').hooks({
before: {
all: [validateHeaders(), validateContentLength()],
find: [],
get: [],
create: [],
update: [],
patch: [],
remove: []
}
});
};
These steps reduce the risk of request smuggling by ensuring that request boundaries are unambiguous and that DynamoDB operations only proceed after strict validation. middleBrick can verify that your deployment exhibits consistent header handling and does not exhibit signs of smuggling-prone configurations.