[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] A new whitepaper by Watchfire - HTTP Request Smuggling

From: "Ory Segal" <osegal@xxxxxxxxxxxxx>
Subject: [WEB SECURITY] A new whitepaper by Watchfire - HTTP Request Smuggling
Date: Mon, 6 Jun 2005 16:17:55 +0300
------_=_NextPart_001_01C56A9A.204CC84E
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello,
=20
Today, Watchfire released a new whitepaper, titled "HTTP Request
Smuggling". The full paper can be found in the following link:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
<BLOCKED::http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf>

=20
The paper's abstract is copied below:=20

"We describe a new web entity attack technique - "HTTP Request
Smuggling". The attack technique and the derived attacks are relevant to
most web environments and is the result of a HTTP server or device's
failure to properly handle malformed inbound HTTP requests. HTTP Request
Smuggling works by taking advantage of the discrepancies in parsing when
one or more HTTP devices/entities (e.g. Cache Server, Proxy Server, Web
Application Firewall, etc.) are in the data flow between the user and
the web server. HTTP Request Smuggling enables various attacks - web
cache poisoning, session hijacking, cross-site scripting and most
serious the ability to bypass web application firewall protection. HTTP
Request Smuggling sends multiple specially-crafted HTTP requests that
cause the two attacked entities to see two different sets of requests,
allowing the hacker to smuggle a request to one device without the other
device being aware of it. In the Web Cache poisoning attack, this
smuggled request will trick the cache server into unintendedly
associating a URL to another URL's page (content), and caching this
content for the URL. In the Web Application Firewall attack the smuggled
request could be a worm (like Nimda or Code Red) or buffer overflow
attack targeting the web server. Finally, because HTTP Request Smuggling
enables the attacker to insert or sneak a request into the flow it
allows the attacker to manipulate the web server's request/response
sequencing which can allow for credential hijacking and other malicious
outcomes."

=20
Thank you,
=20
=20
Ory Segal
Director of Security Research
Watchfire (Israel) LTD.
Tel: +972-9-9586077, Ext.236
Mobile: +972-54-7739359
e-mail: osegal <BLOCKED::mailto:osegal@watchfire.com>  at watchfire.com

=20
=20
=20
=20

------_=_NextPart_001_01C56A9A.204CC84E
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D558440513-06062005>Hello,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D558440513-06062005></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial><FONT size=3D2>Today, Watchfire released a new =
whitepaper,=20
titled "<SPAN class=3Dhl>HTTP</SPAN> <SPAN class=3Dhl>Request</SPAN> =
<SPAN=20
class=3Dhl>Smuggling</SPAN>". The full paper can be found in the =
following=20
link:&nbsp;<A=20
title=3Dhttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf=20
href=3D"BLOCKED::http://www.watchfire.com/resources/HTTP-Request-Smugglin=
g.pdf">http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf</A><=
/FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2></FONT></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial><FONT size=3D2>The paper's abstract is copied =
below:=20
<BR><BR>"We describe a new web entity attack technique &#8211; =
&#8220;<SPAN=20
class=3Dhl>HTTP</SPAN> <SPAN class=3Dhl>Request</SPAN> <SPAN=20
class=3Dhl>Smuggling</SPAN>&#8221;. The attack technique and the derived =
attacks are=20
relevant to most web environments and is the result of a <SPAN=20
class=3Dhl>HTTP</SPAN> server or device&#8217;s failure to properly =
handle malformed=20
inbound <SPAN class=3Dhl>HTTP</SPAN> requests. <SPAN =
class=3Dhl>HTTP</SPAN> <SPAN=20
class=3Dhl>Request</SPAN> <SPAN class=3Dhl>Smuggling</SPAN> works by =
taking=20
advantage of the discrepancies in parsing when one or more <SPAN=20
class=3Dhl>HTTP</SPAN> devices/entities (e.g. Cache Server, Proxy =
Server, Web=20
Application Firewall, etc.) are in the data flow between the user and =
the web=20
server. <SPAN class=3Dhl>HTTP</SPAN> <SPAN class=3Dhl>Request</SPAN> =
<SPAN=20
class=3Dhl>Smuggling</SPAN> enables various attacks &#8211; web cache =
poisoning, session=20
hijacking, cross-site scripting and most serious the ability to bypass =
web=20
application firewall protection. <SPAN class=3Dhl>HTTP</SPAN> <SPAN=20
class=3Dhl>Request</SPAN> <SPAN class=3Dhl>Smuggling</SPAN> sends =
multiple=20
specially-crafted <SPAN class=3Dhl>HTTP</SPAN> requests that cause the =
two=20
attacked entities to see two different sets of requests, allowing the =
hacker to=20
smuggle a <SPAN class=3Dhl>request</SPAN> to one device without the =
other device=20
being aware of it. In the Web Cache poisoning attack, this smuggled =
<SPAN=20
class=3Dhl>request</SPAN> will trick the cache server into unintendedly=20
associating a URL to another URL&#8217;s page (content), and caching =
this content for=20
the URL. In the Web Application Firewall attack the smuggled <SPAN=20
class=3Dhl>request</SPAN> could be a worm (like Nimda or Code Red) or =
buffer=20
overflow attack targeting the web server. Finally, because <SPAN=20
class=3Dhl>HTTP</SPAN> <SPAN class=3Dhl>Request</SPAN> <SPAN=20
class=3Dhl>Smuggling</SPAN> enables the attacker to insert or sneak a =
<SPAN=20
class=3Dhl>request</SPAN> into the flow it allows the attacker to =
manipulate the=20
web server&#8217;s <SPAN class=3Dhl>request</SPAN>/response sequencing =
which can allow=20
for credential hijacking and other malicious =
outcomes."</FONT><BR></DIV></FONT>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><SPAN class=3D558440513-06062005><FONT face=3DArial size=3D2>Thank=20
you,</FONT></SPAN></DIV>
<DIV><SPAN class=3D558440513-06062005><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial><FONT size=3D2><FONT=20
color=3D#0000ff><STRONG>Ory Segal<BR></STRONG></FONT><EM>Director of =
Security=20
Research</EM><BR>Watchfire (Israel) LTD.<BR>Tel: +972-9-9586077,=20
Ext.236<BR>Mobile: +972-54-7739359<BR>e-mail: </FONT></FONT><A=20
title=3Dmailto:osegal@watchfire.com=20
href=3D"BLOCKED::mailto:osegal@watchfire.com";><FONT=20
title=3Dmailto:osegal@watchfire.com face=3DArial =
size=3D2>osegal</FONT></A><FONT=20
face=3DArial><FONT size=3D2>&nbsp;<SPAN class=3D992121013-06062005>at=20
watchfire.com</SPAN></FONT></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial><FONT size=3D2><SPAN=20
class=3D992121013-06062005></SPAN></FONT></FONT><BR>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------_=_NextPart_001_01C56A9A.204CC84E--
Prev by Date: Re: [WEB SECURITY] PHP code exploit discussion board...
Next by Date: [WEB SECURITY] apache issue
Previous by thread: [WEB SECURITY] MSN site hacked in South Korea
Next by thread: [WEB SECURITY] apache issue
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site