0

A new Nessus plugin (140735 - HTTP Smuggling Detection) was very recently incorporated into Tenable's PCI template and is now beeing flagged as a "medium" vulnerability and causing scans to fail.

The only info in the scan report is:

A web server was discovered on port 80/443 The below information could make the Web server a potential candidate for HTTP Smuggling

  • HTTP/1.1 is supported.

I'm hoping this isn't saying that mere support for HTTP/1.1 is grounds for a failing scan, but having trouble determining what else is triggering it.

We provide software to public schools and their constituents, and still have a high % of traffic from older browsers like IE 11 and Android 4.4.4's Chromium-30 based web view, so disabling HTTP/1.1 isn't an option (nor do I see that as a configuration option offered by our web server (UWSGI) or cloud hosting provider). I've also scanned a standard CloudFront endpoint for a static site and the scan fails for this as well.

If anyone is familiar with this plugin and/or can assist with how to overcome this vulnerability (as flagged by this plugin) w/o disabling HTTP/1.1 (which really isn't an option at this time) would be very much appreciated as we are stuck, and imminently facing missing our quarterly ASV. I've read the article attached to the plugin's landing page but the scan seems overbroad vs. the actual vulnerability described in the article.

B Robster
  • 103
  • 2
  • I recently encountered this myself with Tenable's updated profile. It sounds like you may have collected sufficient material for a QSA dispute for the submission. Do you mind if I ask what you came across for it? – James Legan Oct 05 '20 at 18:51

1 Answers1

1

According to here, this issue will show up if you have paranoia enabled. Did you purposefully enable paranoid scans?

Paranoid scans turn up with a lot of weird plugins like these. Another example of paranoia false positives I have seen was something along the lines of "Port 4444 is open, therefore there is a backdoor on this machine," which isn't necessarily true.

If you do need paranoia set to On, next, you then need to verify the validity of this plugin. In that case, I would recommend using Burp Suite (community edition is fine) and then running the HTTP Smuggler addon against your "vulnerable" host. It will do a much more thorough test on it than Nessus will.

Should you discover that your host IS vulnerable, then you should investigate patching your application. Generally speaking, this is not an issue with your code -- it is almost always a vendor patch for a web server or web appliance. Note that, due to how HTTP Request Smuggling works, you also may need to investigate and patch all other infrastructure which is attached to that application. Namely, that would probably be a load balancer or some type of middleware.

Saustin
  • 311
  • 1
  • 10
  • 1
    Thanks for the information. While I didn't enable paranoid scans, it appears to have recently been added to Tenable.io's' PCI ASV Scan Template and there is no option to disable the "paranoid" setting. I've gathered enough info that I should have no problem recasting it for the ASV reviewer. And I'll try it in Burp Suite when I get a chance, to confirm. – B Robster Sep 29 '20 at 20:58