Reputation: 574
Difference between HTTP Splitting AND HTTP Smuggling?
What is Major Difference between HTTP Splitting HTTP Smuggling?
What is Major Similarities HTTP Splitting HTTP Smuggling?
Upvotes: 6
Views: 2593
Answers (2)
Reputation: 30496
HTTP splitting is the fact of splitting responses or requests in HTTP (most often responses). You have several ways of doing that. Some applications will forgot to forbid end of lines in hostnames used in custom HTTP redirect (30x), for example, or in the past browsers could be tricked in splitting request when using end of lines in Digest HTTP Authentication usernames.
When you have this sort of issue (application flaws) you can build attacks triggering the final user (like with XSS), making users requesting an url, using the splitting to inject content in the first response and having the regular response discarded as an extra response. Which means you can split the request but also inject the response content from an url, that's a very specific combination, the url can carry the whole attack.
But splitting can also be done without application flaws, using directly a flaw in the protocol parsing by an HTTP server (like double Content-Length headers). The url does not carry the attack. Here splitting is a fact, (one request or response is splitted after the attack), but has no direct consequence. That's the tool.
HTTP Smuggling is a more global thing, using HTTP splitting, but not only. Without an application flaw, to perform a complete smuggling attack (leading to cache poisoning or security filters bypass), you need also transmitters, web agents like proxies which carry the splitting attack, and targets (like caches) which are impacted by the splitting.
This post may interest you for details.
Upvotes: 2
Reputation: 153
exploiting weaknesses of the web application or peculiarities in the way different agents interpret HTTP messages. This section will analyze two different attacks that target specific HTTP headers:
The first attack exploits a lack of input sanitization which allows an intruder to insert CR and LF characters into the headers of the application response and to 'split' that answer into two different HTTP messages. The goal of the attack can vary from a cache poisoning to cross site scripting.
In the second attack, the attacker exploits the fact that some specially crafted HTTP messages can be parsed and interpreted in different ways depending on the agent that receives them. HTTP smuggling requires some level of knowledge about the different agents that are handling the HTTP messages (web server, proxy, firewall) and therefore will be included only in the Gray Box testing section.
https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
Upvotes: 0
Related Questions
- Differentiating http and http2 packets
- Are large HTTP envelopes split across several partial http requests?
- What are these two methods by which a web server handles a HTTP request?
- What is the difference between NHTTP and HTTP?
- Difference between HTTP pipeling and HTTP multiplexing with SPDY
- Why HTTP was designed to be a pull protocol?
- Hidden features of HTTP
- Example of HTTP Pipelining vs no pipelining
- The essence of HTTP protocol
- What does HTTP look like?