RSFW

Author: Amit Klein, Safebreach

Request Smuggling Firewall - a PoC for my BlackHat US 2020 paper HTTP Request Smuggling in 2020.

The Request Smuggling Firewall PoC project consists of two C++ cross-platform libraries:

SAL (Socket Abstraction Layer): provides a cross-platform TCP socket abstraction layer for its "consumer", in the context of the process SAL resides in. The consumer registers a class object factory with SAL, and for each new socket opened in the process, SAL invokes the factory, obtains a new consumer object, and feeds it with socket events (CTOR=accept, onRead=recv, DTOR=close/shutdown). SAL has Linux-specific implementation and Windows-specific implementation, but its consumer API is platform-agnostic.
RSFW (Request Smuggling Firewall) is a SAL consumer, which is specifically tailored to provide protection against HTTP Request Smuggling for proxy/web servers. RSFW parses incoming HTTP requests by keeping a rough state machine per each socket, and by keeping the "current" partial line cached in the socket object. While the app (web/proxy server) receives the data immediately, RSFW will not allow a full line with protocol violation to be passed to the app, i.e. it will always block the request before EOL arrives to the app. RSFW is platform agnostic.

Specific APIs and deployment:

Consumer API: the SAL consumer (e.g. RSFW) must inherit from AbstractSocket. The consumer must register with SAL by initializing (at load time) SAL::gen_f to a factory object that produces AbstractSocket objects with the designated parameters. The current implementation only supports a single consumer registration. Each AbstractSocket represents a single socket, with CTOR called when the socket is created (e.g. with accept), onRead called when data is received (e.g. with recv) and DTOR when the socket is terminated (e.g. close). The consumer object can interact with the socket (e.g. send data out) using the sockfd provided to it. The consumer should not invoke socket operations that may cause recursion (e.g. invoking close). Specifically, to terminate the socket, the consumer needs to return false from onRead.
Deployment: the current deployment model has SAL and RSFW compiled into a shared library file (.so/.dll), together with the FuncHook function hooking library. The platform specific SAL implementation contains a startup routine (\_init for Linux, DllMain for Windows) that invokes the FuncHook hooking API needed for the specific platform. The shared library needs to be injected into the target process (this functionality is not provided).

Compiling (Linux):

Compiling (Windows):

Hints for running RSFW on Linux with a single web/proxy process: