Anjani Kumar Ponnam (AnjaniKumarP0301)

AnjaniKumarP0301 Member since 2020 11 posts
Posted: August 16, 2020
Last activity: August 19, 2020
Posted: 16 Aug 2020 23:13 EDT
Last activity: 19 Aug 2020 13:56 EDT

HTTP Request Smuggling Vulnerability !!

How to resolve the HTTP Request Smuggling issue in pega ?

Description :

Today's web applications frequently employ chains of HTTP servers between users and the ultimate application logic. Users send requests to a front-end server (sometimes called a load balancer or reverse proxy) and this server forwards requests to one or more back-end servers. This type of architecture is increasingly common, and in some cases unavoidable, in modern cloud-based applications. When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection, because this is much more efficient and performant. The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins


Recomendation : 


HTTP request smuggling vulnerabilities arise in situations where a front-end server forwards multiple requests to a back-end server over the same network connection, and the protocol used for the backend connections carries the risk that the two servers disagree about the boundaries between requests. Some generic ways to prevent HTTP request smuggling vulnerabilities arising are as follows:  Disable reuse of back-end connections, so that each back-end request is sent over a separate network connection.  Use HTTP/2 for back-end connections, as this protocol prevents ambiguity about the boundaries between requests.  Use exactly the same web server software for the front-end and back-end servers, so that they agree about the boundaries between requests.


***Edited by Moderator Marissa to change type from General to Product, update Product details and Platform Capability tags****

Pega Platform 7.1.3 Security