[saag] fwd: HTTP Desync Attacks: Request Smuggling Reborn
Yakov Shafranovich <yakov@nightwatchcybersecurity.com> Fri, 09 August 2019 19:34 UTC
Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3016A120077 for <saag@ietfa.amsl.com>; Fri, 9 Aug 2019 12:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1yFmqBcadtc for <saag@ietfa.amsl.com>; Fri, 9 Aug 2019 12:34:38 -0700 (PDT)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7C9120178 for <saag@ietf.org>; Fri, 9 Aug 2019 12:34:35 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id n4so4597714pgv.2 for <saag@ietf.org>; Fri, 09 Aug 2019 12:34:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=Z/X2qpbAKPq4XUIvyB3GelCpGea34fZkU8K+rGuRACM=; b=XwnkZzIpM8ZWJpXL3qtj6hUqJQ6qzw92KpnGBxxj96Jz7J+8FKdnj/0HMGE1BifWkd rFRJ+PcmDEyHt5z+4LZ1fY40CdH1oiILbC8qY0RdV7VcBj83m9Pv8in1KSDq6S0+e9f2 un2aMRfvFg7xceGRqfURocN7kuvhwCl4cD+vZCj5Bsf7tZtwtNY+xGt1mUSGlfJpwiaD 0D+ZuBHBrleiGIVMhkPvKESQaa6Rn99zJufP1HktvQcBkyGQilWUeo4jCBhsxBDng7pt DG9l2sBv+H6d9X5zxlb1o6v3bffuz9UJ7BXM2hRp52LYC8KsSIjRqHEdT4XBGZdhxxbX q6yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Z/X2qpbAKPq4XUIvyB3GelCpGea34fZkU8K+rGuRACM=; b=uHeaIGMHpop9uhLPpzoYPVO+mUC9E2igE9pORyULM8RP4oNGaAfZEkE3UpMRdejyFG ggqbFBpmiDx2RCPUHFSVjn4mohwkllVqh5PXBy4eHFXoXrLfj4mDVWY4NcoWZIZnIMLF XBQtgC3T5QLeZ9btOTRilW5BVl+BD7Ml8EHsIBf7Hv+KAd3QQEko5igmS4sF/k2QCuf9 9gqBBPhnWypUQAtXfVmn/OQbFGLhOS6qhd1E7ddKnEl9+uKnIVMCncEnrZSlCihcLPo5 M2n403Aw5HcR5O5kdTqZwApY3sdBgqoO4e1mkE8ML8mS5Lw20i3hf8sPPOCz+aPYtMgF nEtA==
X-Gm-Message-State: APjAAAVQ8hw+8WDisxLbu0TtkUTw9uMaa5zAbyA3gs0zxCDSXJOzdGsq 2xQeJBH0dp7t36FQGGy4Hz/BGXEhAsUaSC6+8z5Xjr26tVM=
X-Google-Smtp-Source: APXvYqxf9WLq0YZaVmi1VNC7ASY9E/nbVOnxKVvYNR+k+cktvFxbOuhVNgBiXaPxP6pBFBGNXWlwIl9DJMtntAomwb0=
X-Received: by 2002:a63:724b:: with SMTP id c11mr6714173pgn.30.1565379274731; Fri, 09 Aug 2019 12:34:34 -0700 (PDT)
MIME-Version: 1.0
From: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>
Date: Fri, 09 Aug 2019 15:33:59 -0400
Message-ID: <CAAyEnSNWxDBSh1TJ9LLZzXoZRxXg7QxxCDNRrrYxCz-qiY3NTQ@mail.gmail.com>
To: Security Area Advisory Group <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/sDEMkq5ib0fK6KqUzkGJYOB3vxI>
Subject: [saag] fwd: HTTP Desync Attacks: Request Smuggling Reborn
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2019 19:34:40 -0000
Abstract: "HTTP requests are traditionally viewed as isolated, standalone entities. In this paper, I'll explore forgotten techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $70k in bug bounties." There were presentations at BlackHat and DefCon. Details here: https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn The attack seems to be focused on "Transfer-Encoding: chunked" and "Content-Length" in HTTP. The author blames the design of HTTP/1.1: https://news.ycombinator.com/item?id=20641061 It seems RFC 7230 already addresses this very case: https://tools.ietf.org/html/rfc7230#section-3.3.3 "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error. A sender MUST remove the received Content-Length field prior to forwarding such a message downstream." Thanks
- [saag] fwd: HTTP Desync Attacks: Request Smugglin… Yakov Shafranovich