HTTP Request Smuggling

cyphersteve writes "Multiple vendors are vulnerable to a new class of attack named 'HTTP Request Smuggling' that revolves around piggybacking a HTTP request inside of another HTTP request, which could let a remote malicious user conduct cache poisoning, cross-site scripting, session hijacking, as well as bypassing web application firewall protection and other attacks. HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices are between the user and the web server. CERT has ranked this attack and the associated vulnerabilties found in multiple products as High Risk. The authors (Amit Klein, Steve Orrin, Ronen Heled, and Chaim Linhart) have published a whitepaper describing this technique in detail."

Re:and here's where...

Actually the whitepaper sates that IIS and Apache automatically dump the malformed packet.

Microsoft does write a few good lines of code.

Possible way to burn down RSS?

[krowten21]

Scenario: Vulnerable web server for popular blogging site, compromised by this or other attack, RSS feed used to broadcast exploit against vulnerable IE 7.0 clients. predicted at www.threatchaos.com att he beginning of the year.

PCCA??

[d3ac0n]

Does anyone have any idea what the Popular Commercial Cache Appliance is? The PDF doesn't say and we have a few cache appliances at my office (intranet and internet). I'd like to know just vunerable we are to this type of thing.

Re:Working example available?

[failure-man]

Check back in twelve hours. Whoever feeds the script-kiddies is working on it I'm sure.

Side question: who feeds the script kiddies their "1337 h4x0ring t00ls" anyway? What's in it for them to give weapons to the little bastards? I assume it isn't for the money since I would think that an unknown exploit technique would be immensly valuable in that regard. Is it for the sheer destruction of the thing without the fingerprints?