I received a burp scan result from my Rails app (hosted on heroku) that indicates that server is vulnerable to client-side desync attacks. The scan report reads as follows;
The server appears to be vulnerable to client-side desync attacks. A POST request was sent to the path '/get_started' with a second request sent as the body. The server ignored the Content-Length header and did not close the connection, leading to the smuggled request being interpreted as the next request.
The proposed remediation is as follows;
You can resolve this vulnerability by patching the server so that it either processes POST requests correctly, or closes the connection after handling them. You could also disable connection reuse entirely, but this may reduce performance. You can also resolve this issue by enabling HTTP/2.
I tried to opt for the solution of closing all requests to the server after handling them to prevent connection reuse. I tried this in a config file below;
class CloseConnectionMiddleware
def initialize(app)
@app = app
end
def call(env)
if env['REQUEST_METHOD'] == 'POST'
status, headers, body = @app.call(env)
headers['Connection'] = 'close'
[status, headers, body]
else
@app.call(env)
end
end
end
Rails.application.config.middleware.insert_before Rack::Sendfile, CloseConnectionMiddleware
The above seems to work on development but not in production (heroku) and I am stuck on finding a solution. I am looking for a solution that fits any of the proposed solutions in the report. Close the connection after handling the requests to disable connection reuse entirely or enabling http/2 in rails.
