"Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks"
Daniel Thatcher, a researcher and penetration tester at Intruder, has developed a technique for testing and identifying how HTTP/HTTPS headers could be used by malicious threat actors to sneak code into back-end servers. Thatcher will share his findings on HTTP header-smuggling at Black Hat Europe in London, as well as release a free tool for testing web servers for bugs that attackers could use to carry out HTTP header-smuggling attacks. HTTP/HTTPS headers contain cookies, the IP address, and more. Header-smuggling is a method involving the sneaking of malicious or phony information to the back-end server within the HTTP header by the front-end server. According to Thatcher, attackers can use header-smuggling to exploit other weaknesses in web applications too. He will demonstrate how header-smuggling was used to evade IP-address restrictions in the AWS API Gateway, which resulted in a cache-poisoning exploit. Although he has not yet shared any details on his AWS research, he says a "specific issue" in the AWS gateway was used. In his research, HTTP header-smuggling was found to make cache-poisoning easier to do, thus potentially allowing an attacker to overwrite any cached pages with their own content. Thatcher's methodology leverages the errors returned by HTTP servers when an invalid value is provided in the Content-Length header. This article continues to discuss the concept of HTTP header-smuggling, the tool developed to scan web servers for vulnerabilities to such attacks, and who should be responsible for fixing or preventing this type of HTTP/HTTPS abuse.