PortsWigger cybersecurity specialist James Kettle revealed the details of a new attack on sites using front-end backend, such as content delivery networks, balancers, or proxies.
The attack allows onvasion of certain requests into the contents of other requests processed in the same stream between the frontend and backend.The proposed method has been successfully used to organize an attack that allows intercepting authentication parameters of PayPal service users. This company paid researchers about $ 40 thousand as part of a program to report the presence of uncorrected vulnerabilities.
The attack is also applicable for sites using the Akamai content delivery network.
Read also: DNS attacks endanger millions of IoT devices
The essence of the problem is that frontends and backends often provide different levels of support for the HTTP protocol, but at the same time encapsulate requests from different users in a common channel.
To connect the front-end receiving requests and the back-end processing requests, established long-lived TCP connection through which user requests are transmitted, transmitted one after the other in a chain, separated by the HTTP protocol. To separate requests, the headers “Content-Length” (defines the total size of the data in the request) and “Transfer-Encoding: chunked” (allows transfering data in parts, indicating blocks of different sizes).
“The problem arises if the front-end only supports “Content-Length” but ignores “Transfer-Encoding: chunked ” (for example, Akamai’s CDN did) or vice versa. In the case of Transfer-Encoding: chunked support on both sides, attack features of the implementation of HTTP header parsers can be used”, – said James Kettle.
In this case, the attacker can send a request that simultaneously indicates the headers “Content-Length” and “Transfer-Encoding: chunked”, but the size in “Content-Length” does not correspond to the size of the chunked chain, which is less than the actual value.
If the frontend processes and redirects the request in accordance with the “Content-Length”, and the backend waits for the completion of the block based on “Transfer-Encoding: chunked”, then the end of the data based on “Transfer-Encoding: chunked” will be determined earlier. The remaining tail of the request will be at the beginning of the next request, i.e. the attacker will be able to attach arbitrary data to the beginning of someone else’s request transmitted next.
To determine the problem in the used front-end back-end bundle, you can send a request of the form through the front-end:
POST /about HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 4
1
Z
Q
The problem is present if the backend does not immediately process the request and waits for the final zero bounding block of chunked data to arrive.
The attack is also applicable for organizing poisoning of content caching systems and retrieving cached confidential data.
The pinnacle of the method was the organization of an attack on PayPal, which allows you to intercept passwords sent by users during authentication (the iframe request was changed to execute JavaScript in the context of the paypal.com/us/gifts page, for which CSP (Content Security Policy) was not applied).
As usual, security accompanies simplicity. If your website is free of load balancers, CDNs and reverse proxies, this technique is not a threat. The more layers you introduce, the more likely you are to be vulnerable.
Specific instances of this vulnerability can be resolved by reconfiguring the front-end server to normalize ambiguous requests before routing them onward. This is probably the only realistic solution for CDNs who don’t want to make their customers vulnerable.
