HIGH request smuggling

Request Smuggling Attack

How Request Smuggling Works

Request smuggling is a protocol-level attack that exploits inconsistencies in how HTTP servers and proxies interpret request boundaries. The attack manipulates the Content-Length and Transfer-Encoding headers to trick intermediaries into processing requests differently than the backend server, allowing attackers to hide malicious payloads or poison request pipelines.

The core vulnerability arises when a front-end proxy and back-end server disagree on where one HTTP request ends and another begins. An attacker crafts a request with conflicting length indicators:

POST /api/resource HTTP/1.1
Host: example.com
Content-Length: 25
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: example.com
Foo: x

The front-end sees Content-Length: 25 and stops reading after the first chunk, but the back-end sees Transfer-Encoding: chunked and continues reading until it encounters the terminating "0". This creates a situation where the second GET request gets smuggled into the pipeline.

Attackers can exploit this in several ways: smuggling malicious requests to bypass authentication, chaining requests to access unauthorized resources, or causing denial of service by consuming backend connections. The technique works against any HTTP-based API, including REST endpoints, GraphQL APIs, and WebSocket handshakes.

Request Smuggling Against APIs

API endpoints are particularly vulnerable to request smuggling because they often sit behind multiple layers of proxies, load balancers, and API gateways. Each layer might implement HTTP parsing slightly differently, creating the inconsistencies attackers need.

Consider a typical API architecture: client requests flow through a CDN, then an API gateway, then a load balancer, before reaching the application server. If the CDN uses Content-Length while the API gateway expects Transfer-Encoding, an attacker can craft requests that appear legitimate to some components but malicious to others.

Common API smuggling scenarios include:

Authentication bypass: Smuggle a request to an admin endpoint immediately after a legitimate API call, hoping the backend maintains the same authentication context
Parameter pollution: Inject additional parameters into the smuggled portion that override legitimate values
Response splitting: Cause the backend to generate responses that break the HTTP framing, potentially exposing sensitive data
Resource exhaustion: Keep backend connections open by sending incomplete requests, leading to DoS

GraphQL APIs face unique smuggling risks because they often accept POST requests with complex JSON bodies. An attacker might smuggle GraphQL queries that extract data across different user contexts or cause the server to process unexpected operations.

RESTful APIs with file uploads are also at risk. Multipart form data parsing inconsistencies between proxies can allow attackers to smuggle file content that gets processed as separate API requests.

Detection & Prevention

Detecting request smuggling requires systematic testing of your API infrastructure. Start by scanning your endpoints with tools that specifically test for HTTP parsing inconsistencies. Tools like middleBrick can automatically identify endpoints vulnerable to smuggling by sending crafted requests with conflicting headers and analyzing the responses.

middleBrick's API security scanner tests for smuggling vulnerabilities by:

Sending requests with conflicting Content-Length and Transfer-Encoding headers
Testing chunked encoding edge cases and malformed length indicators
Analyzing response patterns to detect when requests were processed incorrectly
Checking if authentication contexts persist across smuggled requests

Prevention strategies focus on eliminating parsing inconsistencies across your infrastructure:

Standardize HTTP parsing: Ensure all components (proxies, gateways, backends) use the same HTTP parsing library or configuration
Disable Transfer-Encoding: Many APIs don't need chunked encoding; disable it at the proxy level if unnecessary
Validate request boundaries: Implement strict request size limits and reject requests that don't conform to expected patterns
Use HTTP/2 or HTTP/3: These protocols have more rigorous framing that reduces smuggling opportunities
Implement request sanitization: Strip or normalize conflicting headers before forwarding requests

Additional defensive measures include:

Rate limiting to reduce the impact of potential smuggling attacks
Request logging and monitoring for unusual patterns
Regular security scanning of your API surface
Keeping all HTTP processing components updated

For GraphQL APIs specifically, validate query complexity and implement depth limiting to reduce the impact if smuggling succeeds. For file upload endpoints, scan uploaded content for malicious payloads and validate file boundaries strictly.

Frequently Asked Questions

How can I test my API for request smuggling vulnerabilities?

Use automated security scanning tools that specifically test HTTP parsing inconsistencies. middleBrick's API security scanner includes request smuggling detection as part of its 12 security checks, testing your endpoints with crafted requests that have conflicting Content-Length and Transfer-Encoding headers. The scanner analyzes responses to identify vulnerabilities and provides remediation guidance. You can also perform manual testing by sending requests with manipulated headers to observe how your infrastructure handles them.

Does HTTPS protect against request smuggling?

No, HTTPS does not protect against request smuggling. The attack occurs at the HTTP protocol level after TLS termination, typically at your load balancer, API gateway, or application server. While HTTPS encrypts the transport, it doesn't prevent parsing inconsistencies between HTTP components. Request smuggling can occur in fully encrypted API communications as long as there are multiple HTTP processing layers with different parsing implementations.