HTTP request smuggling

Hans Middelhoek hans at middelhoek.nl
Wed Jun 30 20:49:53 UTC 2021


Hi Maxim,

Op 30-6-2021 om 21:17 schreef Maxim Dounin:
> Hello!
>
> On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote:
>
>> Thanks! That makes sense to me. I like to understand things a little
>> better and hope you can help with that:
>>
>> 1) Why is the result different when I disable keepalive in Nginx? After
>> disabling keepalive the second request isn't executed anymore.
> Because multiple requests in the same connection only work with
> keepalive.  As long as keepalive is disabled, only the first
> request in the connection is processed.  To make additional
> requests the client have to open additional connections.
Thank you! That should have been obvious.
>> 2) Do you know why Apache respond the same as Nginx with
>> keepalive disabled?
> Because keepalive is disabled on the Apache server you are testing
> against?  As long as keepalive is enabled, the same requests work
> perfectly with Apache and return two responses as they should.
>
Keepalive is enabled in Apache. I enabled more verbose logging to find 
the cause. Apache doesn't allow the first request and gives a 400 error, 
error log:
(22)Invalid argument: [client xx.xx.xx.xx:xxxxx] AH01590: Error 
reading/parsing chunk

I suppose the connection is closed directly because of the error and 
therefore the second request isn't executed. I changed my test to 
confirm that Apache will handle the 2 requests within the same connection:

POST / HTTP/1.1
Content-Length: 0
Foo: bar
Host: vulnerable-domain.com

GET /admin7 HTTP/1.1
X-Foo: k

That works. It looks like Apache is very picky in the processing of the 
Transfer-Encoding header.

Thank you for your help!

Kind regards,
Hans



More information about the nginx mailing list