Akamai Mitigates Hop-by-Hop Header Abuse Leading to Request Smuggling
Security researchers Jacopo Tediosi and Francesco Mariani each recently published write-ups (on September 29 and September 17, 2022, respectively) describing a technique for abusing HTTP hop-by-hop headers to launch request smuggling attacks on Akamai.
“RFC 7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing” defines hop-by-hop headers as HTTP header fields that should only be processed on the immediate next hop of a connection, therefore requiring proxy servers to remove them before forwarding the request to its destination. RFC 7230 also allows senders to specify custom hop-by-hop headers in the “Connection” header field, and prescribes a MUST requirement that any such header be removed by a proxy.
The attack technique exploits this RFC requirement. By specifying “Content-Length” as a custom hop-by-hop header, a malicious sender is able to induce a proxy server to strip out essential message framing information. That, in turn, leads to a discrepancy in how the proxy and the origin server process the same request.
Jacopo Tediosi ethically disclosed the findings to Akamai on March 24, 2022, and Akamai’s engineering and security teams promptly mitigated the issue by deploying the necessary request validation during our HTTP processing.
Although this attack no longer impacts Akamai, we stress that the issue was not caused by an implementation bug, but an intentional design decision made for the HTTP 1.1 protocol. As we observe with many request smuggling and cache poisoning vectors, the elimination of such potential unsafe interactions in complex web deployments remains a relatively new and open research problem for all proxy technology vendors and the wider security research community.
We are grateful to Jacopo Tediosi and Francesco Mariani for helping Akamai shepherd this problem to a resolution, and for their contribution to internet security.
