HTTP Request Smuggling (ADV200008) and IIS Reverse Proxy

Biras, Shahar 1 Reputation point
2021-08-02T13:52:46.69+00:00

I have few questions about HTTP request smuggling (ADV200008):

From reading through the internet, I understood that in order to exploit HTTP request smuggling vulnerability, your setup will must be comprised of a frontend device (load balancer, reverse proxy) and a backend web server.

  1. Is IIS Reverse Proxy working with IIS web server in the backend susceptible to this attack?
  2. ADV200008 suggests to add this registry value in the IIS web server - DisableRequestSmuggling. What is the impact of enabling this filter? Should I simply do on all of my servers or it may have some bad impact?
Internet Information Services
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sam Wu-MSFT 7,046 Reputation points Microsoft Vendor
    2021-08-03T02:51:05.96+00:00

    Hi @Biras, Shahar

    Is IIS Reverse Proxy working with IIS web server in the backend susceptible to this attack?

    No, microsoft recommends that administrators review front-end environmental configurations, and if necessary, enable the request smuggling filter. Testing is required to determine that front-end load balancers and proxies do not forward malformed requests; these requests will be rejected when the filter is enabled, and may disrupt communications.

    ADV200008 suggests to add this registry value in the IIS web server - DisableRequestSmuggling. What is the impact of enabling this filter? Should I simply do on all of my servers or it may have some bad impact?

    literal meaning, If you enable this filter, it means disable Request Smuggling. you should decide whether to enable all according to your needs.


    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.