Skip to Content
1
Aug 10, 2023 at 09:45 AM

Avoid request smuggling with Approuter+CAP on BTP

86 Views

Hello,

we are developing a CAP application with a node.js for the backend and a standard SAPUI5 application with the default approuter as a frontend.

The problem right now is that we got the feedback from the security team, that there is vulnerability for "request smuggling".

It can be exploited by sending the following request multiple times:

GET /api/notsosecret/myfunction() HTTP/1.1
Host: mycompany-frontend.cfapps.eu20-001.hana.ondemand.com
Content-Length: 5
Transfer-Encoding: chunked
Cookie: JSESSIONID=mysession
Connection: transfer-encoding
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

12a
GET /api/secret/danger() HTTP/1.1
Host: mycompany-frontend.cfapps.eu20-001.hana.ondemand.com
Cookie: JSESSIONID=
mysession
x=1
0

In most cases it returns the "/api/notsosecret/myfunction()" response but sometimes also the "/api/secret/danger()" response.

Is it possible to avoid this request smuggling just by checking requests in the CAP application? Since the request is redirected by the approuter most of the information is stripped away.

Is it possible to configure the approuter so that is does not accept requests that contain "content-length" and "transfer-encoding: chunked" headers?

At the moment we are just using the approuter as a one-liner without any configuration:

"scripts": {     
     "start": "node node_modules/@sap/approuter/approuter.js"   
},   
"dependencies": {     
     "@sap/approuter": "~14.1.2"
}