Analytics Story: HTTP Request Smuggling
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to http request smuggling, including looking for CL.TE,TE.TE,CL.0 and more.
Why it matters
HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. This typically abuses how requests are exchanged between a client and server, often a proxy or load balancer. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Nginx Access | N/A | nginx:plus:kv |
/var/log/nginx/access.log |
| Suricata | N/A | suricata |
suricata |
References
- https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
- https://portswigger.net/research/http1-must-die
- https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
- https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
Source: GitHub | Version: 1