HTTP request smuggling is a type of attack that takes advantage of differences between the way sequences of HTTP requests are processed by a web server and one or more intermediate devices, like a Citrix ADC load balancer or other Traffic Management features. HTTP Request smuggling attacks are possible when requests from different clients are received by the intermediate device and then multiplexed, pipelined and forwarded onto a back-end server over the same network connection. If the back-end server does not process these sequences of requests in the same way as the intermediate device, a maliciously crafted HTTP request could interfere with other legitimate HTTP traffic, potentially allowing the attacker unauthorized access to other users’ data.   

As noted in the security bulletin CTX463706, the following Citrix ADC builds contain enhancements to help customers mitigate against HTTP smuggling attacks: 

• Citrix ADC and Citrix Gateway 13.1-33.47 and later releases 

• Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0  

• Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1  

• Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS  

• Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP 

In order to allow a wide variety of client/server transactions, Citrix ADC has a default lenient setting for parsing HTTP requests. However, an enhanced level of protection against HTTP Request Smuggling attacks can be provided by binding an in-built HTTP profile, nshttp_default_strict_validation, to one or more virtual servers by using the following commands on the CLI:  

set lb vserver <vserver_name> -httpProfileName nshttp_default_strict_validation  
set cs vserver <vserver_name> -httpProfileName nshttp_default_strict_validation  

Please note that customers are strongly advised to test these settings prior to deployment in a production environment.  
 
Customers who encounter any problems in deploying the above HTTP profile can alternatively disable HTTP multiplexing to mitigate against HTTP request smuggling.  This can be done globally, across all services, using:   

set ns httpParam -conMultiplex DISABLED 

OR, alternatively, per profile using:  

set httpProfile <profile_name> -conMultiplex DISABLED  

Please note that, depending on the capability of the back-end web server, there may be a minor performance impact as a result of disabling HTTP multiplexing because a separate TCP connection will be created for each client connection. Customers are advised to test this configuration prior to deployment in a production environment. 

Note:  

The enhancements include a new parameter ‘passProtocolUpgrade’ which is added to the HTTP profile to help customers mitigate against HTTP smuggling attacks. Depending on the state of this parameter, the upgrade header is either passed in the request sent to the back-end server or deleted before sending the request. 

• If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response. 

• If this parameter is disabled, then the upgrade header is deleted, and the remaining request is sent to the back end. 

The passProtocolUpgrade parameter is added to the following profiles: 

• nshttp_default_profile ENABLED by default 

• nshttp_default_strict_validation DISABLED by default 

• nshttp_default_internal_apps DISABLED by default 

• nshttp_default_http_quic_profile ENABLED by default 

Citrix recommends that this parameter be disabled. For more best practices, see the Citrix ADC Secure Deployment Guide.