Title

The web server must terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks. (Cat II impact)

Discussion

The web server defines a set of exceptions for every HTTP status code. Each exception class has a status code according to RFC 2068: Codes with 100-300 are not really errors; 400s are client errors, and 500s are server errors. If not directly specified, headers will be added to the default response headers. In the event of an anomaly or exception during the processing of requests, it is safer to terminate the connection to prevent malformed requests from exploiting potential protocol vulnerabilities.

Check Content

Verify the web server terminates the connection if server-level exceptions are triggered when handling requests. If the web server does not terminate the connection if server-level exceptions are triggered when handling requests, this is a finding.

Fix Text

Configure web server to terminate the connection if server-level exceptions are triggered when handling requests to prevent HTTP request smuggling attacks.

Additional Identifiers

Rule ID: SV-264365r984440_rule

Vulnerability ID: V-264365

Group Title: SRG-APP-000251

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.