CWE-444 Inconsistent Interpretation of HTTP Requests
What this means
SiteShadow flagged a risk where different components in your request path (CDN/WAF/reverse proxy/load balancer/app server) may parse the "same" HTTP request differently. That mismatch can let attackers smuggle or disguise requests.
Why it matters
Inconsistent parsing can allow request smuggling or bypasses.
- Request smuggling: a proxy and backend disagree on where one request ends and the next begins (often involving
Content-Length/Transfer-Encoding). - Auth bypass: security controls see a different path/host than the backend uses.
- Cache poisoning: caches store/serve responses under the wrong key.
Safer examples
1) Normalize and validate at the edge
Reject ambiguous requests (duplicate headers, multiple Content-Length, weird Transfer-Encoding, invalid whitespace).
2) Align proxy and backend parsing rules
Keep proxy/WAF and app server versions/configs aligned; enable strict request parsing modes where available.
3) Avoid complex routing based on raw headers
Prefer server-known routing; be cautious with X-Forwarded-* headers unless set by trusted infrastructure (see CWE-346 style risks).
How SiteShadow detects it (high level)
- Looks for code and config patterns that rely on ambiguous request parsing (forwarded headers, raw HTTP parsing, conflicting length/encoding handling).
- Flags patterns commonly associated with smuggling/bypass primitives.
References
- CWE-444: https://cwe.mitre.org/data/definitions/444.html
---