Request Smuggling

Date: 2023-10-16 ID: b052c3c6-ec55-49a9-82ea-1f68da25763f Author: Raven Tait, Splunk Environment: attack_range Directory: request_smuggling

Description

Attack data related to request_smuggling

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1190/request_smuggling/suricata_request_smuggling.log
Sourcetype: suricata
Source: suricata

Path: /datasets/attack_techniques/T1190/request_smuggling/suricata_reserved_names.log
Sourcetype: suricata
Source: suricata

Path: /datasets/attack_techniques/T1190/request_smuggling/nginx_scripting_tools.log
Sourcetype: nginx:plus:kv
Source: nginx:plus:kv

Path: /datasets/attack_techniques/T1190/request_smuggling/nginx_request_smuggling.log
Sourcetype: nginx:plus:kv
Source: nginx:plus:kv

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
HTTP Duplicated Header	`Anomaly`	Web	T1071.001, T1190	HTTP Request Smuggling
HTTP Possible Request Smuggling	`TTP`	Web	T1071.001	HTTP Request Smuggling
HTTP Request to Reserved Name on IIS Server	`TTP`	Web	T1071.001, T1190	HTTP Request Smuggling
HTTP Rapid POST with Mixed Status Codes	`Anomaly`	Web	T1071.001, T1190, T1595	HTTP Request Smuggling
HTTP Suspicious Tool User Agent	`Anomaly`	Web	T1071.001	HTTP Request Smuggling

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1190/request_smuggling/suricata_request_smuggling.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0