| ID | Technique | Tactic |
|---|---|---|
| T1071.001 | Web Protocols | Command And Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: HTTP Duplicated Header
Description
Detects when a request has more than one of the same header. This is commonly used in request smuggling and other web based attacks. HTTP Request Smuggling exploits inconsistencies in how front-end and back-end servers parse HTTP requests by using ambiguous or malformed headers to hide malicious requests within legitimate ones. Attackers leverage duplicate headers, particularly Content-Length and Transfer-Encoding, to cause different servers in the chain to disagree on where one request ends and another begins. RFC7230 states that a sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list or the header field is a well-known exception.
Search
1`suricata` http.request_headers{}.name="*"
2| rename dest_ip as dest
3| spath path=http.request_headers{}.name output=header_names
4| mvexpand header_names
5| where lower(header_names) != "set-cookie"
6| stats count by _raw, header_names, src_ip, dest
7| where count > 1
8| stats values(header_names) as duplicate_headers by _raw, count, src_ip, dest
9| `http_duplicated_header_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
| Name | Value |
|---|---|
| suricata | sourcetype=suricata |
| http_duplicated_header_filter | search * |
http_duplicated_header_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Delivery
DE.AE
CIS 13
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
APT42
APT5
Agrius
Axiom
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Daggerfly
Dark Caracal
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN4
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
Gamaredon Group
HAFNIUM
Higaisa
INC Ransom
Inception
Ke3chang
Kimsuky
Lazarus Group
Leviathan
LuminousMoth
Magic Hound
Medusa Group
Metador
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
OilRig
Orangeworm
Play
Rancor
RedCurl
RedEcho
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Sidewinder
SilverTerrier
Stealth Falcon
Storm-0501
TA505
TA551
TeamTNT
Threat Group-3390
ToddyCat
Tropic Trooper
Turla
UNC3886
Volatile Cedar
Volt Typhoon
WIRTE
Windshift
Winter Vivern
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. Some of these will need to have all headers dumped to contain the necessary fields.
Known False Positives
False positives are not expected, however, monitor, filter, and tune as needed based on organization log sources.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Duplicated headers within a web request was detected. The source IP is $src_ip$ and the destination is $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 51 | src_ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | suricata |
suricata |
| Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1