MID-078: HTTP Request/Response Validation

Mitigation Tier: Foundational

Description

HTTP requests should be checked for special characters (CR, LF, etc.) to ensure parsing logic errors do not occur, such as one request being broken into two separate requests. Additionally, HTTP requests should have enforceable and robust request-length checks.

Any request that fails these two checks should be rejected and the TCP connection facilitating it should be closed. By using these two validating mechanisms, devices can ensure that no extra text, such as the insertion of malicious requests, can be added to the legitimate request.

Note: HTTP/2 includes features such as length checking and should be used end-to-end wherever possible.

IEC 62443 4-2 Mappings

• CR 3.5 - Input validation 

References

[1] PortSwigger. “HTTP request smuggling.” portswigger.net. Accessed: Aug. 28, 2024. [Online.] Available: https://portswigger.net/web-security/request-smuggling#how-to-prevent-http-request-smuggling-vulnerabilities

MID-078