You are here

HTTP Request Smuggling

IDs: 
CVE-2020-1935, CVE-2019-17569
Keywords: 
HTTP, request smuggling, transfer-encoding
Description: 

HTTP Request Smuggling is an attack technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests to smuggle a request to the second device through the first one. Web application firewalls deployed as reverse proxies like Airlock WAF are potentially affected by these attack techniques. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users [1].

Examples of such attack techniques include malformed HTTP headers or illegal combination of Content-Length and Transfer-Encoding headers in an HTTP requests [1].

Apache Tomcat fixed two issues related to HTTP Request Smuggling (CVE-2020-1935,  CVE-2019-17569) [2].

Airlock WAF is not affected and protects potential vulnerable back-ends including Airlock IAM.

Details:

Airlock WAF uses different, encapsulated software stacks for reading and reconstruction of HTTP requests. The protocol between these components is different from HTTP (protocol split). This architecture prevents common protocol-level attacks like HTTP requests smuggling or HTTP response splitting.

Resolution: 

no action required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock