HTTP Desynchronization (Desync) Attack

Explore Pynt's documentation on HTTP desynchronization security tests! Understand how Pynt identifies and mitigates desync vulnerabilities to ensure robust protection for your APIs.

At a Glance: 🔄 HTTP De-synchronization (Desync) Attack A de-synchronization vulnerability occurs when servers or components in an API ecosystem interpret HTTP requests inconsistently, especially regarding headers like Content-Length and Transfer-Encoding. This mismatch allows attackers to "smuggle" malicious requests through the front-end server to the back-end server without detection. These attacks can lead to unauthorized actions, data leakage, or even denial of service. To mitigate these risks, ensure strict validation and uniform interpretation of HTTP headers across all components.

Introduction

HTTP de-synchronization (commonly known as HTTP request smuggling) is a security vulnerability that exploits inconsistencies in how HTTP requests are parsed by front-end and back-end servers. When a server interprets the boundaries of HTTP requests differently, attackers can inject a malicious payload that is processed by one server but hidden from another.

This vulnerability can lead to various outcomes, such as bypassing security controls, extracting sensitive data, or disrupting the application's normal behavior. It typically arises in API gateways, proxies, or load balancers that handle HTTP traffic between components.

What are the common mistakes made by developers?

  1. Inconsistent Parsing of HTTP Headers: Failing to enforce uniform interpretation of HTTP headers like Content-Length and Transfer-Encoding between front-end and back-end servers.

  2. Allowing Ambiguous Headers: Accepting ambiguous or conflicting headers, such as requests containing both Content-Length and Transfer-Encoding, without resolving conflicts.

  3. Neglecting Request Queue Validation: Overlooking how request queues are processed by intermediary components, enabling attackers to smuggle additional requests.

  4. Trusting User-Supplied Input: Allowing unvalidated input in headers or payloads increases the risk of maliciously crafted requests.

How can I fix HTTP desynchronization issues?

Header Validation

  • Reject requests with ambiguous or conflicting headers (e.g., both Content-Length and Transfer-Encoding headers).

  • Enforce strict validation of HTTP headers to ensure compliance with RFC standards.

Uniform Parsing Rules

  • Ensure consistent interpretation of headers and request boundaries across all API components, including proxies, gateways, and back-end servers.

Disable Chunked Encoding (if unnecessary)

  • If your application does not require Transfer-Encoding: chunked, disable it to minimize parsing complexity.

Test cases in this category

This test case queries excessive number of elements:

Test case
OWASP
CWE

[MC001] HTTP Desync Attack

PreviousBasic AuthenticationNextPynt with API Testing Tools

Last updated