HTTP request smuggling bug patched in HAProxy

Ben Dickson 17 February 2023 at 16:05 UTC
Updated: 17 February 2023 at 16:07 UTC

Exploitation could enable attackers to access backend servers

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks.

By sending a maliciously crafted HTTP request, an attacker could bypass the filters of HAProxy and gain unauthorized access to back-end servers.

Dropped headers

According to a notice by Willy Tarreau, the maintainer of HAProxy, “a properly crafted HTTP request can make HAProxy drop some important headers fields such as Connection, Content-length, Transfer-Encoding, Host, etc after having parsed and at least partially processed them”.

This can confuse HAProxy and force it to send requests to the back-end server without applying filters.

For example, it can be used to bypass HAProxy’s authentication checks for certain URLs or give attackers access to restricted resources. The vulnerability is not hard to exploit, but its impact depends on the target web server and how much it relies on HAProxy filters to secure its resources.

“It just requires moderate knowledge of the HTTP protocol and how a smuggling attack works,” Tarreau told The Daily Swig.

“I know that usual HTTP vuln seekers will immediately understand how to exploit this and will just need two-to-three tests to confirm their hypothesis, which is why it was really not needed to [include] more details.”

Bug present since 2019

The vulnerability was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests.


Read more

Explore the site

More from the blog

Latest News