question

BirasShahar-6976 avatar image
0 Votes"
BirasShahar-6976 asked SamWu-MSFT commented

HTTP Request Smuggling (ADV200008) and IIS Reverse Proxy

I have few questions about HTTP request smuggling (ADV200008):

From reading through the internet, I understood that in order to exploit HTTP request smuggling vulnerability, your setup will must be comprised of a frontend device (load balancer, reverse proxy) and a backend web server.

  1. Is IIS Reverse Proxy working with IIS web server in the backend susceptible to this attack?

  2. ADV200008 suggests to add this registry value in the IIS web server - DisableRequestSmuggling. What is the impact of enabling this filter? Should I simply do on all of my servers or it may have some bad impact?






windows-server-iis
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SamWu-MSFT avatar image
0 Votes"
SamWu-MSFT answered SamWu-MSFT commented

Hi @BirasShahar-6976

Is IIS Reverse Proxy working with IIS web server in the backend susceptible to this attack?

No, microsoft recommends that administrators review front-end environmental configurations, and if necessary, enable the request smuggling filter. Testing is required to determine that front-end load balancers and proxies do not forward malformed requests; these requests will be rejected when the filter is enabled, and may disrupt communications.

ADV200008 suggests to add this registry value in the IIS web server - DisableRequestSmuggling. What is the impact of enabling this filter? Should I simply do on all of my servers or it may have some bad impact?

literal meaning, If you enable this filter, it means disable Request Smuggling. you should decide whether to enable all according to your needs.


If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply.

I was expecting something a bit more thorough and technical.

For my first question - without any load balancer or any other device, simply IIS in the frontend that proxy requests to another IIS server (could be the same server or a different one) - do I need to enable the request smuggling filter in that setup?


For my second question - I meant what impact it may have in terms of performance/functionality and what will it actually do to prevent the vulnerability from being exploited?

Thanks

0 Votes 0 ·

@BirasShahar-6976

For my first question - without any load balancer or any other device, simply IIS in the frontend that proxy requests to another IIS server (could be the same server or a different one) - do I need to enable the request smuggling filter in that setup?

According to your own needs, but it is safer to enable Request Smuggling Filter on IIS Servers.

I meant what impact it may have in terms of performance/functionality and what will it actually do to prevent the vulnerability from being exploited?

This link should help you: ADV200008.

0 Votes 0 ·