HTTPS Request Smuggling

The Network: A mid-size financial institution on the U.S. East Coast. Hundreds of devices on the internal network. Redundant network connectivity to the internet; top-of-the-line network equipment.
 
The Expectation: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for the IT team.
 
The Catch: Careful review of firewall logs showed an attempted https request smuggling attack (HRS). Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
 
The Find: The firewall detected http.Request.Smuggling attack from the External IP address 208.84.41.61 to Proxy server. Since connections were allowed, as expected, connections bypassed the Firewall and reached proxy. Connections were initiated to website www2.pplcnhld.com which is a known problem site. 
 
The Fix: Devices handling HTTP requests in between the client and server are vulnerable to HRS. The following devices on the client side are prone to HRS attacks:
  • Cache server used to cache the static pages to limit bandwidth traffic. Cache servers are prone to cache poisoning using HRS.
  • Proxy server used to connect the internal LAN to the internet. Request hijacking can be possible by using proxy server.
  • Firewall used to protect website or internal LAN from other networks. Firewalls are prone to Worm attack using HRS.
  • Other devices such as SSL accelerator, IDS, Load balancer, and internet browsers are also prone to HRS attacks.
Our SOC responded to the customer with all investigation findings and recommended the following actions:
  • Blocking the URL and IP addresses in the proxy and firewall.
  • Investigate further on the internal source system and Proxy devices.
  • Checking the browser and system infection and running the Anti-Virus scans.
  • Integrating Proxy server with EventTracker.
  • Hardening and updating Proxy and firewall with the IOCs.
The Lesson: After examining the proxy logs, the outbound connection to the compromised website was identified and blocked on all external-facing firewalls. Dark trace was monitored for any further attempts to reach the problem site. 
 
Perfect protection is not practical, so monitoring is necessary.