Protocol Exploitation
Protocol Exploitation involves manipulating application and network protocols to inject malicious content into legitimate data streams, enabling attackers to gain unauthorized access to systems. As a Content Injection sub-technique within the Gain Access phase, attackers leverage protocol-specific vulnerabilities or design limitations to insert commands, payloads, or data that the application interprets as trusted content. This may include exploiting HTTP request smuggling, XML External Entity (XXE) injection, Server-Side Request Forgery (SSRF), or protocol downgrade attacks that force applications to use insecure legacy protocols with known weaknesses. By targeting the parsing and processing mechanisms of various protocols (HTTP, SMTP, FTP, etc.), attackers can bypass security controls, manipulate application behavior, or trigger unintended actions that compromise the application's security boundaries, ultimately establishing a foothold within the target system.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1050 | Exploit Protection | Upgrade to protocol versions resistant to smuggling (HTTP/2 with ALPN), validate headers at load balancer layer. |
| M1040 | Behavior Prevention on Endpoint | Enable deep packet inspection WAF rules that normalise line endings and reject overlapping chunk lengths. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0029 | Network Traffic Content | Flag malformed headers (duplicate Content-Length, mixed CRLF) and chunk-size mismatches detected by reverse proxy. |
| DS0015 | Application Log | Monitor 400/502 errors linked to malformed request parsing—often by-products of failed smuggling attempts. |