CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
View on MITREExtended Description
HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall protection mechanisms and gain unauthorized access to a web application, and 3) the message can invoke a script or a page that returns client credentials (similar to a Cross Site Scripting attack).
Mitigation Strategies
Phase
Description
Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
Phase
Description
Use only SSL communication.
Phase
Description
Terminate the client session after each request.
Phase
Description
Turn all pages to non-cacheable.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.
When this request is sent to the proxy server, the proxy server parses the first four lines of the POST request and encounters the two "Content-Length" headers. The proxy server ignores the first header, so it assumes the request has a body of length 54 bytes. Therefore, it treats the data in the next three lines that contain exactly 54 bytes as the first request's body:
Observed CVE Examples (6)
SSL/TLS-capable proxy allows HTTP smuggling when used in tandem with HTTP/1.0 services, due to inconsistent interpretation and input sanitization of HTTP messages within the body of another message
View DetailsChain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending"
View DetailsNode.js platform allows request smuggling via two Transfer-Encoding headers
View DetailsHTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header
View DetailsHTTP server allows request smuggling with both a "Transfer-Encoding: chunked" header and a Content-Length header
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')?+
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
What are the security consequences of Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')?+
If exploited, CWE-444 (Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')) it can compromise Integrity, Non-Repudiation and Access Control, leading to outcomes such as Unexpected State, Hide Activities and Bypass Protection Mechanism.
How do you prevent or mitigate Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')?+
Recommended mitigations for CWE-444 include: Use a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433]. Use only SSL communication. Terminate the client session after each request.
Which programming languages are affected by Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')?+
CWE-444 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')?+
MITRE documents real CVEs mapped to CWE-444, including CVE-2022-24766, CVE-2021-37147, CVE-2020-8287, CVE-2006-6276 and CVE-2005-2088. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-444 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.