I am working on a application based on Netty. Recently from our security scanner, we got to know that our application is vulnerable to Http Request Smuggling Attack. Post to that I did some exploration on this attack https://portswigger.net/web-security/request-smuggling and identified that this attack can be possible by assigning a crafted message body to a Http Request. To understand the standards of a message body, I checked the RFC doc https://datatracker.ietf.org/doc/html/rfc9112#message.body.length.
So I tried to implement those validations in my project but later find out that these are already handled in Netty wrt addressing couple of vulnerabilities.
As per the vulnerability description and behaviour part of the http request will be processed in the first request and the remaining part will be there in the buffer. The part of the request what was left in buffer is going to be used in the subsequent request to make the attack happen.
I tried to implement a solution by writing a costume Http Request Aggregator where I will read the http request till I received the final chunk then flush the buffer. But I got stuck and the solution is also not working.
Example of the crafted request
POST /broker/xml HTTP/1.1
Host: burp.ssdevrd.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Connection: keep-alive
Transfer-Encoding: chunked
Content-Length:47
0
GET /portal HTTP/1.0
Host: google.com
X:X
While simulating with the above payload Transfer-Encoding overrides Content-Length and till 0 I get in the first request body. The later part will be there in buffer and will get concatenated to the second request to make the attack happen.
Is there a way to read the http content from http request and clean the buffer after processing of each request in Netty? So that this attack can be prevented? If my understanding is wrong then please let me know how Netty works with buffer.
Any working solution / fix will be greatly appreciated.