June 6, 2023

An open source interactive HTTPS proxy service MitmProxy, has patched a serious bug that potentially allowed attackers to stage HTTP request smuggling attacks against backend servers.

HTTP request smuggling attacks exploit the inconsistencies between the way intermediary and backend servers process requests to bypass security controls, gain unauthorized access to sensitive data, or compromise other application users.

Advertisements

An attacker could smuggle a request/response through mitmproxy as part of another request/response’s HTTP message body.

In the case of mitmproxy, an issue with the parsing of whitespace in header names resulted in mitmproxy and a downstream server possibly having different interpretations of HTTP headers.

Alternatively, you can make the proxy reject potentially malformed messages, but that would have the drawback of imposing compatibility problems with clients in the wild, but not a buffer overflow kind of issue.

The bug only works against HTTP/1 services behind mitmproxy, which currently accounts for a very small number of web servers. HTTP/2, the more commonly used protocol, does not rely on the use of Content-Length and Transfer-Encoding headers to determine where a request body ends.

Instead, a built-in length field is included in each data frame, and when proxies communicate with backends using HTTP/2, there is little ambiguity on the length of each message. Therefore, this particular request smuggling bug would be ineffective against HTTP/2 services.

HTTP/1 services that follow the RFC7230 specification and reject headers with whitespace would also be immune against the request smuggling bug found in mitmproxy. The security bug would also be useless to attackers if the target web application is not vulnerable in some other way.

Advertisements

Services that support HTTP/2 are not configured to use it between the frontend proxy and the backend servers simply because most clients would not notice the difference.

This means that there are still a lot of web proxy and server configurations that speak HTTP/2 between the client and the proxy but HTTP/1.x between the proxy and the backend, leaving room for HTTP request smuggling attacks to occur. The bug has been patched in version 8.0 of mitmproxy

Leave a Reply

%d bloggers like this: