https://portswigger.net/daily-swig/node-js-was-vulnerable-to-a-novel-http-request-smuggling-technique

 
      
The Daily Swig
[ ]
( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Regions Hacking News Data Breaches 
Cyber-attacks Vulnerabilities Bug Bounties More About
Africa Asia Europe Middle East Latin America North America Oceania
View all US news
 

APT focus

Take a closer look at Iran's state-sponsored hacking groups

Latest Hacking News Hacking Tools Hacking Techniques Pen Testing
Cloud Security Database Security Email Security Network Security
View all hacking news
 

Movers and shakers

OWASP stirs up web app threat categories in 2021

Latest Data Breaches Data Leak Organizations Enterprise Security
View all data breach news
 

In focus

Software supply chain attacks - everything you need to know

Latest Cyber-attacks Cybercrime Cyber Warfare DDoS Attacks Supply
Chain Attacks
View all cyber-attack news
 

Special report

North Korean cyber-threat groups become top-tier adversaries

Latest Vulnerabilities Zero-Day News RCE XSS SQL Injection SSRF CSRF
XS Leaks
View all security vulnerability news
 

I, robot

Machine learning security vulnerabilities are a growing threat

Bug Bounty News VDP News Research OSINT
View all bug bounty news
 

Bug Bounty Radar

The latest programs for October 2021

Interviews Analysis Research Deep Dives Browsers Ransomware Phishing
Malware Encryption Privacy Mobile IoT Policy and Legislation Machine
learning DNS Open Source Hardware Authentication Events
View all infosec industry news
 

Cybersecurity conferences

A schedule of events in 2021 and beyond

Node.js was vulnerable to a novel HTTP request smuggling technique

Emma Woollacott 18 October 2021 at 15:16 UTC
Node.js Vulnerabilities Hacking Techniques
Twitter WhatsApp Facebook Reddit LinkedIn Email

Bad line termination and incorrect parsing of chunk extensions
exposed one of two HRS flaws

Node.js was vulnerable to a novel HTTP request smuggling technique

The maintainers of Node.js have patched two HTTP request smuggling
(HRS) vulnerabilities in the JavaScript runtime environment,
including one found using what appears to be a new HRS technique.

A server-side technology that allows JavaScript to be executed out of
the browser, Node.js is an increasingly popular way of developing and
hosting web apps.

HTTP request smuggling interferes with how websites process sequences
of HTTP requests received from users.


Read more of the latest Node.js security news and analysis


The vulnerabilities were discovered by Mattias Grenfeldt and Asta
Olofsson as part of research for a bachelor's thesis in computer
science at the KTH Royal Institute of Technology in Sweden. This has
since been rewritten as a conference paper and accepted for IEEE EDOC
2021.

"We set out to look for HTTP request smuggling vulnerabilities in six
open source web servers and six open source proxies. Node was one of
them, but initially we didn't find any issues in it," Grenfeldt tells
The Daily Swig.

"Some time later, while working on reporting the other issues found
during the project, we just stumbled upon these two issues."

'Classic HRS technique'

The first, CVE-2021-22959, allows HTTP request smuggling due to
spaces in headers, with the HTTP parser accepting requests with a
space after the header name and before the colon.

"This is a classic HRS technique," says Grenfeldt. "Node interprets '
Content-Length : 5' as 'Content-Length: 5'. If combined with a proxy
which ignores such headers, but forwards them unmodified, then HRS is
possible. There have been many issues in the past similar to this.

"Interestingly, Regilero has also reported this exact issue to Node
earlier, together with a bunch of other issues; they were
collectively assigned CVE-2016-2086. All of the issues were fixed,
except for the space + colon issue."

Novel technique

Meanwhile, CVE-2021-22960 appears to represent a novel HRS technique,
whereby combining bad line termination in one of the proxies
investigated and incorrect parsing of chunk extensions in Node allows
request smuggling.

Grenfeldt and Olofsson found that the vulnerable proxy looked for a
single newline (LF) character to terminate the line containing the
chunk size, but didn't, as is usual, check whether there was a
carriage return before the LF.

"Right before this line termination is the place for the seldom used
chunk extensions feature. In chunk extensions you can specify extra
parameters, like 'a=b', after the chunk size. However, parsing for
this is rarely implemented in systems and many instead just allow any
bytes in this region," explains Grenfeldt.

"These two problems combined enables us to construct a chunked body
that the proxy interprets one way and Node interprets another way. We
also found the same server behaviour in three other servers we
investigated, making this the most severe problem we found."

Grenfeldt and Olofsson reported the issues on June 19 and 20, with
Node releasing a fix on October 12.


RELATED HAProxy vulnerability enables HTTP request smuggling attacks

Node.js Vulnerabilities Hacking Techniques Network Security Hacking
News Research JavaScript Open Source Software Privacy Data Leak
Database Security Secure Development Industry News
Emma Woollacott

Emma Woollacott

@EmmaWoollacott

Twitter WhatsApp Facebook Reddit LinkedIn Email
This page requires JavaScript for an enhanced user experience.
Latest Posts

New bug bounty platform launches for Indian ethical hackers

21 October 2021 New bug bounty platform launches for Indian ethical
hackers Security researchers can sign up now

Bulletproof hosting duo jailed over cyber-attack technical support

21 October 2021 Bulletproof hosting duo jailed over cyber-attack
technical support Attacks leveraging defendants' infrastructure
inflicted heavy financial losses on victims

Security (pre)advisories

A simple way to improve the patch management process 21 October 2021 
Security (pre)advisories A simple way to improve the patch management
process

Related stories

This page requires JavaScript for an enhanced user experience.

New bug bounty platform launches for Indian ethical hackers

21 October 2021 New bug bounty platform launches for Indian ethical
hackers Security researchers can sign up now

Bulletproof hosting duo jailed over cyber-attack technical support

21 October 2021 Bulletproof hosting duo jailed over cyber-attack
technical support Attacks leveraging defendants' infrastructure
inflicted heavy financial losses on victims

Security (pre)advisories

A simple way to improve the patch management process 21 October 2021 
Security (pre)advisories A simple way to improve the patch management
process

Historic scientific notation bug foils WAF defenses

20 October 2021 Historic scientific notation bug foils WAF defenses 
AWS WAF and ModSecurity get 'blinded by science'

Burp Suite

Web vulnerability scanner Burp Suite Editions Release Notes

Vulnerabilities

Cross-site scripting (XSS) SQL injection Cross-site request forgery
XML external entity injection Directory traversal Server-side request
forgery

Customers

Organizations Testers Developers

Company

About PortSwigger News Careers Contact Legal Privacy Notice

Insights

Web Security Academy Blog Research The Daily Swig
PortSwigger Logo Follow us

(c) 2021 PortSwigger Ltd.