Check: SRG-APP-000439-WSR-000196
Web Server SRG:
SRG-APP-000439-WSR-000196
(in versions v4 r2 through v3 r3)
Title
The web server must only use forward proxies that route HTTP/2 requests upstream. (Cat II impact)
Discussion
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. It is crucial that the web server and forward proxy agree about the boundaries between requests. Otherwise, an attacker may be able to send ambiguous and other smuggling attacks to the web server.
Check Content
If a forward proxy is not used, this is not applicable. Verify the web server only uses forward proxies that route HTTP/2 requests upstream. If the web server uses forward proxies that do not only route HTTP/2 requests, this is a finding.
Fix Text
Configure the web server to only use forward proxies that route HTTP/2 requests upstream.
Additional Identifiers
Rule ID: SV-264366r984443_rule
Vulnerability ID: V-264366
Group Title: SRG-APP-000439
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002418 |
Protect the confidentiality and/or integrity of transmitted information. |
Controls
Number | Title |
---|---|
SC-8 |
Transmission Confidentiality and Integrity |