Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Web Server Security Requirements Guide
SRG-APP-000251
SRG-APP-000251
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000251
1 Rule
<GroupDescription></GroupDescription>
The web server must interpret and normalize ambiguous HTTP requests or terminate the TCP connection.
Medium Severity
<VulnDiscussion>Request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP/1 request and manipulating it so that web servers (i.e., back-end, front-end, load balancers) process the request differently. There are a number of variants of this type of attack with different names. However, all variants are addressed by configuring the front-end server to exclusively use HTTP/2 when communicating with other web servers. Specific instances of this vulnerability can be resolved by reconfiguring the front-end server to normalize ambiguous requests before routing them onward. However, if the request cannot be made unambiguous or normalized, configure both the front-end and back-end servers to reject the message and close the connection. It is important to not assume requests do not have a body. For all web servers, examine requests that report message body length as zero in the HTTP header and drop the request. For load balancing or reverse proxying implementation: -The front-end web server must interpret and forward HTTP requests, such that the back-end server receives a consistent interpretation of the request, or terminate the TCP connection. -The back-end web server must drop ambiguous requests that cannot be normalized and terminate the TCP connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>