Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) — Vulnerability Class 165

165 vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)). AI Chinese analysis included.

CWE-444 represents a critical architectural weakness where an intermediary HTTP agent, such as a proxy or firewall, fails to interpret malformed requests consistently with the ultimate destination server. This discrepancy allows attackers to exploit the ambiguity by crafting specially designed HTTP messages that are parsed differently by the front-end and back-end systems. Consequently, an attacker can smuggle malicious requests past security controls, potentially bypassing access restrictions, injecting unauthorized commands, or performing cache poisoning attacks. To mitigate this vulnerability, developers must ensure strict alignment in HTTP parsing logic across all network components. This involves configuring proxies and servers to use identical parsing standards, validating request boundaries rigorously, and employing modern frameworks that explicitly handle ambiguous headers. Regular security testing and automated fuzzing further help identify inconsistencies before deployment, ensuring that all entities in the data flow interpret messages uniformly.

MITRE CWE Description
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. HTTP requests or responses ("messages") can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to "smuggle" a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.
Common Consequences (1)
Integrity, Non-Repudiation, Access ControlUnexpected State, Hide Activities, Bypass Protection Mechanism
An attacker could create HTTP messages to exploit a number of weaknesses including 1) the message can trick the web server to associate a URL with another URL's webpage and caching the contents of the webpage (web cache poisoning attack), 2) the message can be structured to bypass the firewall prote…
Mitigations (4)
ImplementationUse a web server that employs a strict HTTP parsing procedure, such as Apache [REF-433].
ImplementationUse only SSL communication.
ImplementationTerminate the client session after each request.
System ConfigurationTurn all pages to non-cacheable.
Examples (2)
In the following example, a malformed HTTP request is sent to a website that includes a proxy server and a web server with the intent of poisoning the cache to associate one webpage with another malicious webpage.
POST http://www.website.com/foobar.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 Content-Length: 54 GET /poison.html HTTP/1.1 Host: www.website.com Bla: GET http://www.website.com/page_to_poison.html HTTP/1.1 Host: www.website.com Connection: Keep-Alive
Attack
GET /poison.html HTTP/1.1 Host: www.website.com Bla:
Result
In the following example, a malformed HTTP request is sent to a website that includes a web server with a firewall with the intent of bypassing the web server firewall to smuggle malicious code into the system.
POST /page.asp HTTP/1.1 Host: www.website.com Connection: Keep-Alive Content-Length: 49223 zzz...zzz ["z" x 49152] POST /page.asp HTTP/1.0 Connection: Keep-Alive Content-Length: 30 POST /page.asp HTTP/1.0 Bla: POST /page.asp?cmd.exe HTTP/1.0 Connection: Keep-Alive
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2019-15605 Joyent Node.js 环境问题漏洞 — Node 9.1 -2020-02-07
CVE-2020-5218 Ability in Sylius to switch channels via GET parameter enabled in production environments — Sylius 4.4 Medium2020-01-27
CVE-2020-5220 Ability to expose data in Sylius by using an unintended serialisation group — SyliusResourceBundle 4.4 Medium2020-01-27
CVE-2020-5207 Request smuggling is possible in Ktor when both chunked TE and content length specified — Ktor 5.4 Medium2020-01-27
CVE-2019-16792 HTTP Request Smuggling: Content-Length Sent Twice in Waitress — Waitress 7.1 High2020-01-22
CVE-2019-16789 HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers — Waitress 7.1 High2019-12-26
CVE-2019-16785 HTTP Request Smuggling: LF vs CRLF handling in Waitress — Waitress 7.1 High2019-12-20
CVE-2019-16786 HTTP Request Smuggling: Invalid Transfer-Encoding in Waitress — Waitress 7.1 High2019-12-20
CVE-2017-12165 Red Hat Undertow 安全漏洞 — undertow 9.1 -2018-07-27
CVE-2017-2666 Red Hat Undertow 环境问题漏洞 — undertow 6.5 -2018-07-27
CVE-2017-7658 Eclipse Jetty Server 环境问题漏洞 — Eclipse Jetty 9.8 -2018-06-26
CVE-2017-7657 Eclipse Jetty 环境问题漏洞 — Eclipse Jetty 9.8 -2018-06-26
CVE-2017-7656 Eclipse Jetty 安全漏洞 — Eclipse Jetty 6.5 -2018-06-26
CVE-2017-7559 Red Hat Undertow 安全漏洞 — undertow 6.1 -2018-01-10
CVE-2017-12158 Red Hat Keycloak 跨站脚本漏洞 — keycloak 5.4 -2017-10-26

Vulnerabilities classified as CWE-444 (HTTP请求的解释不一致性(HTTP请求私运)) represent 165 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.