Request Smuggling in Feathersjs

Request smuggling in Feathersjs applications typically occurs through the framework's flexible request handling and middleware system. Feathersjs applications often sit behind reverse proxies or load balancers, creating opportunities for attackers to exploit discrepancies in how different components interpret HTTP requests.

The most common Feathersjs-specific smuggling vector involves the framework's use of Express under the hood combined with its service-based architecture. When a Feathersjs app processes multipart requests for file uploads or handles chunked transfer encoding, inconsistencies between the Feathersjs parser and the proxy can be exploited.

Consider a Feathersjs service handling file uploads:

class UploadService {
  async create(data, params) {
    // Process file upload
    return { id: generateId(), url: data.file.path };
  }
}

An attacker could craft a request like:

POST /api/uploads HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: 138
Transfer-Encoding: chunked

0

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain

malicious content
------WebKitFormBoundary--
Content-Type: application/json
Content-Length: 25

{ "hijack": "request" }

This exploits the ambiguity between Content-Length and Transfer-Encoding headers. Feathersjs's multer middleware might process the first part while the proxy forwards the second part to another service, causing the second request to be processed as part of the first.

Another Feathersjs-specific scenario involves the framework's hooks system. When hooks modify request bodies or headers, they can inadvertently create smuggling opportunities:

const { authenticate } = require('@feathersjs/authentication');

class AuthService {
  async create(data, params) {
    // Authentication logic that might mishandle malformed requests
    return { token: generateToken(params.user) };
  }
}

Attackers might exploit the authentication flow by sending requests that the Feathersjs authentication middleware handles differently than the underlying Express parser.

Detecting request smuggling in Feathersjs requires understanding both the framework's internals and common attack patterns. middleBrick's black-box scanning approach is particularly effective for Feathersjs applications since it tests the actual runtime behavior without needing access to source code.

When scanning a Feathersjs API endpoint, middleBrick sends a battery of test requests designed to trigger smuggling conditions. For Feathersjs specifically, the scanner looks for:

Multipart Boundary Manipulation: Testing how the Feathersjs multer integration handles malformed multipart boundaries and content disposition headers.

Chunked Transfer Encoding: Sending requests with mixed Content-Length and Transfer-Encoding headers to see if the Feathersjs parser and any reverse proxy interpret them differently.

Header Splitting: Testing for CRLF injection in headers that Feathersjs might not properly sanitize before passing to Express.

Service-Specific Endpoints: middleBrick's scanner automatically detects Feathersjs service endpoints (like /api/messages, /api/users) and crafts smuggling attempts targeting those specific patterns.

Here's how you might use middleBrick to scan a Feathersjs API:

# Using the CLI tool
npx middlebrick scan https://api.example.com/messages

# Checking the report for smuggling-related findings
middlebrick report --url https://api.example.com/messages

The scanner specifically tests for Feathersjs's common patterns:

// What middleBrick tests against
app.use('/api/messages', messagesService);
app.use('/api/uploads', uploadService);
app.use('/api/auth', authService);

middleBrick's LLM security module also checks for prompt injection vulnerabilities in any AI-powered Feathersjs services, which could be an additional attack vector if your Feathersjs app includes LLM functionality.

The scanner's OpenAPI analysis is particularly useful for Feathersjs apps since it can detect inconsistencies between your service definitions and actual runtime behavior, which is crucial for identifying smuggling vulnerabilities that might only manifest under specific conditions.

Remediating request smuggling in Feathersjs applications requires a layered approach that addresses both the framework's specific behaviors and general HTTP parsing inconsistencies.

1. Standardize HTTP Header Processing:

Ensure consistent header parsing across your entire stack by configuring your reverse proxy to normalize requests before they reach Feathersjs:

# nginx.conf
proxy_hide_header Transfer-Encoding;
proxy_hide_header Content-Length;
proxy_set_header Content-Length $content_length;

2. Use Feathersjs's Built-in Security Features:

Feathersjs provides several security mechanisms that help prevent smuggling:

const { HookContext } = require('@feathersjs/feathers');

// Request body size limits
app.use('/api/uploads', uploadService, { 
  bodyParser: { limit: '10mb' } 
// Request validation hook
const validateRequest = context => {
  const { method, path, headers } = context;
  // Validate Content-Type and Content-Length consistency
    throw new Error('Invalid content type');
  }
  return context;
};

app.service('messages').hooks({
  before: { all: [ validateRequest ] }
});

3. Implement Strict Request Validation:

Create Feathersjs hooks that validate request structure before processing:

const strictValidationHook = async context => {
  const { headers, method } = context;
  
  // Check for conflicting headers
  if (headers['transfer-encoding'] && headers['content-length']) {
    throw new Error('Conflicting transfer encoding headers');
  }
  
  // Validate content type for multipart requests
  if (method === 'POST' || method === 'PUT') {
    const validTypes = ['application/json', 'multipart/form-data', 'application/x-www-form-urlencoded'];
 headers['content-type'].includes(type))) {
      throw new Error('Invalid content type');
    }
  }
  
  return context;
};

4. Use HTTPS Everywhere:

Encrypt all traffic to prevent certain types of smuggling attacks that exploit unencrypted connections between components:

// In your Feathersjs app configuration
app.configure(authentication({
  https: true,

5. Regular Security Scanning:

Integrate middleBrick into your Feathersjs development workflow:

# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run middleBrick Scan
        run: |
          npx middlebrick scan ${{ secrets.API_URL }} --threshold B
        continue-on-error: true
      - name: Fail on low score
        if: steps.scan.outputs.score < 80
        run: exit 1

6. Keep Dependencies Updated:

Request smuggling vulnerabilities often exist in underlying dependencies. Regularly update Feathersjs and its dependencies:

npm audit
npm update @feathersjs/feathers @feathersjs/express

By implementing these Feathersjs-specific mitigations and using tools like middleBrick for continuous scanning, you can significantly reduce the risk of request smuggling attacks on your Feathersjs applications.