What is Request Smuggling HTTP/0.9
A vulnerability in the outdated HTTP/0.9 protocol, where request smuggling can occur due to its lack of standardized header parsing. Since HTTP/0.9 does not support headers and only transmits raw data, attackers can exploit this by sending malformed requests that are misinterpreted by servers or proxies, potentially allowing unauthorized access or bypassing security mechanisms. However, HTTP/0.9 is rarely used today and mostly found in legacy systems.
- HTTP/0.9 is a minimal protocol that does not use headers in requests or responses, making it incompatible with modern browsers.
- Some CDNs may improperly handle versioning, which can be exploited by manipulating requests as HTTP/0.9.
Exploitation Strategy
HTTP/0.9
GET / HTTP/0.9 or GET / HTTP ---> Both render as HTTP/0.9 (Not directly allowed in Browser)-
HTTP/0.9 request smuggling exploits inconsistencies between a front-end server (usually expecting HTTP/1.1) and a back-end server that still supports the older HTTP/0.9 standard. This mismatch allows attackers to manipulate how requests are interpreted, potentially injecting malicious payloads.
-
If an attacker can control the server’s response (e.g., by uploading a file or altering text), and the server incorrectly interprets it as HTTP/0.9, it may render the content as part of the page. This can be used to inject malicious content or bypass security measures.
-
The attack leverages the fact that:
- Back-end server understands HTTP/0.9 and accepts its simpler request format (e.g.,
GET /filewithout headers). - Front-end server does not recognize HTTP/0.9 and may interpret such requests incorrectly as part of an HTTP/1.1 stream.
- Back-end server understands HTTP/0.9 and accepts its simpler request format (e.g.,
Example Attack:
Malicious Response Example: Upload a file containing an HTTP/1.1 response, but trick the server into interpreting it as HTTP/0.9:
# THIS IS A FILE TXT (ALL OF IT)
HTTP/1.1 200 OK
Content-Type: text/html
Cache-Control: public, max-age=10
Content-Length: X-X-X
<html>
<head>
</head>
<body>
XSS PAYLOAD
</body>
</html>- Now, as the attacker, we can fetch this file has HTTP/0.9 or simply remove the HTTP... and send the request to retrieve the file. You can combine the following exploit with cache poisoning to get higher impact
Cache Poisoning: Combine HTTP/0.9 request smuggling with cache poisoning to persist malicious content on cached pages:
GET /file/evilfile.txt#../../ ---> May require URL encoding or multiple slashes for evasionBy exploiting the misinterpretation of HTTP/0.9 and leveraging techniques like cache poisoning, attackers can inject malicious payloads or manipulate server responses in certain environments.