The web server must interpret and normalize ambiguous HTTP requests or terminate the TCP connection.

Description

<VulnDiscussion>Request smuggling attacks involve placing both the Content-Length header and the Transfer-Encoding header into a single HTTP/1 request and manipulating it so that web servers (i.e., back-end, front-end, load balancers) process the request differently. There are a number of variants of this type of attack with different names. However, all variants are addressed by configuring the front-end server to exclusively use HTTP/2 when communicating with other web servers. Specific instances of this vulnerability can be resolved by reconfiguring the front-end server to normalize ambiguous requests before routing them onward. However, if the request cannot be made unambiguous or normalized, configure both the front-end and back-end servers to reject the message and close the connection. It is important to not assume requests do not have a body. For all web servers, examine requests that report message body length as zero in the HTTP header and drop the request. For load balancing or reverse proxying implementation: -The front-end web server must interpret and forward HTTP requests, such that the back-end server receives a consistent interpretation of the request, or terminate the TCP connection. -The back-end web server must drop ambiguous requests that cannot be normalized and terminate the TCP connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>