HTTP Request Synchronization Defeats Discrepancy Attacks
Cem Topcuoglu, Kaan Onarlioglu, Steven Sprecher, Engin Kirda
TL;DR
This paper addresses discrepancy attacks that arise when HTTP proxies in a multi-hop path process requests inconsistently. It introduces HTTP Request Synchronization, a general defense that propagates an authenticated processing history across hops using standard HTTP extension mechanisms, enabling every proxy to validate processing consistency and terminate on mismatches. The authors implement the scheme on five popular proxies (Apache, NGINX, HAProxy, Varnish, and Cloudflare) and evaluate its effectiveness through three real-world discrepancy attack case studies, as well as performance benchmarks. The results demonstrate practical feasibility and meaningful security gains for layered proxy architectures, suggesting a scalable approach to safer proxied web applications.
Abstract
Contemporary web application architectures involve many layers of proxy services that process traffic. Due to the complexity of HTTP and vendor design decisions, these proxies sometimes process a given request in different ways. Attackers can exploit these processing discrepancies to launch damaging attacks including web cache poisoning and request smuggling. Discrepancy attacks are surging, yet, there exists no systemic defense. In this work, we propose the first comprehensive defense to address this problem, called HTTP Request Synchronization. Our scheme uses standard HTTP extension mechanisms to augment each request with a complete processing history. It propagates this context through the traffic path detailing how each server hop has processed said request. Using this history, every proxy server can validate that their processing is consistent with all previous hops, eliminating discrepancy attacks. We implement our scheme for 5 popular proxy technologies, Apache, NGINX, HAProxy, Varnish, and Cloudflare, demonstrating its practical impact.