Difference between HTTP Splitting AND HTTP Smuggling?

Question

What is Major Difference between HTTP Splitting HTTP Smuggling?

What is Major Similarities HTTP Splitting HTTP Smuggling?

Answer 1

HTTP splitting is the fact of splitting responses or requests in HTTP (most often responses). You have several ways of doing that. Some applications will forgot to forbid end of lines in hostnames used in custom HTTP redirect (30x), for example, or in the past browsers could be tricked in splitting request when using end of lines in Digest HTTP Authentication usernames.

When you have this sort of issue (application flaws) you can build attacks triggering the final user (like with XSS), making users requesting an url, using the splitting to inject content in the first response and having the regular response discarded as an extra response. Which means you can split the request but also inject the response content from an url, that's a very specific combination, the url can carry the whole attack.

But splitting can also be done without application flaws, using directly a flaw in the protocol parsing by an HTTP server (like double Content-Length headers). The url does not carry the attack. Here splitting is a fact, (one request or response is splitted after the attack), but has no direct consequence. That's the tool.

HTTP Smuggling is a more global thing, using HTTP splitting, but not only. Without an application flaw, to perform a complete smuggling attack (leading to cache poisoning or security filters bypass), you need also transmitters, web agents like proxies which carry the splitting attack, and targets (like caches) which are impacted by the splitting.

This post may interest you for details.