Load balancers play a crucial role in modern web architectures. In addition to managing the routing of traffic, they also perform TLS termination, server health checking and other critical management functions to make websites scalable and secure.
However, the same technology that improves operational efficiency comes with a potential security issue: HTTP request smuggling attacks. It is critical that IT leaders understand how these attacks work and arm themselves with the following steps to protect web environments from HTTP request smuggling.
What is HTTP request smuggling?
Modern load balancers are sophisticated devices that use a variety of optimizations to squeeze the maximum amount of efficiency out of a web architecture. These optimizations reuse the same HTTP connection for multiple requests. Sending a request from the load balancer to a web server hundreds or thousands of times per second is inefficient. As such, modern load balancers bundle multiple requests together and pass them over the same network connection.
Issues may arise when load balancers and back-end servers interpret HTTP headers differently. There are several variations of this attack that work with the Content-Length and Transfer-Encoding headers. But, in each variation, the load balancer and back-end servers interpret the headers differently. Thus, the back-end server is tricked into executing an unauthorized request that the attacker injected into the active HTTP connection between the load balancer and the web server.
How to mitigate an HTTP request smuggling vulnerability
HTTP smuggling attacks are insidious because they prey upon the vagaries of server configurations and protocol interpretations. Fortunately, there are some key steps IT leaders can take to protect web environments from these attacks:
- Understand how infrastructure components interpret HTTP headers. The ability to use the same interpretation engine on both the load balancer and the back-end servers helps prevent inconsistencies. Unfortunately, it is not always possible, as load balancers are often hardware appliances supporting back-end servers running on entirely different platforms. Without the ability to run consistent software in both locations, it is important to at least understand how they handle issues with HTTP headers and confirm they interpret requests consistently.
- Disable optimizations that allow request smuggling. If IT is not able to resolve the back-end configuration issues, it may be best to disable these optimizations entirely to prevent inconsistent interpretations of requests that may result in smuggling. Yes, this diminishes the efficiency of the web environment, but it also protects against this dangerous attack.
- Deploy a web application firewall (WAF). Many WAFs include technology that detects and blocks or sanitizes HTTP traffic, including request smuggling directives. Organizations that are already using a WAF should check with the vendor to determine what level of protection is in place. In addition, it’s important to confirm whether any tweaks to the WAF configuration are needed to protect against an HTTP request smuggling vulnerability.
HTTP request smuggling is a dangerous attack that can result in the inadvertent execution of unauthorized HTTP requests. However, by taking at least one of the three countermeasures identified above, organizations are better protected from these attacks.
This was last published in July 2020
Dig Deeper on Web server threats and application attacks