Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

SUSE Chasing Partners

Asian Penguins turn failed program into a Linux success

The Community School of Excellence (CSE) Asian Penguins are the world's first and only Linux user group based in a Hmong charter school. A failed Windows laptop program at the school was turned by the Asian Penguins into a Linux success. Stu Keroff is the technology coordinator at the Community School of Excellence, a middle school located in St. Paul, Minnesota. He is a licensed elementary education and middle school social studies teacher, and a long-time Linux enthusiast. Stu founded and advises the Asian Penguins. Read more

Testing The BCache SSD Cache For HDDs On Linux 4.8

It has been over one year since last testing the mainline Linux kernel's BCache support for this block cache that allows solid-state drives to act as a cache for slower hard disk drives. Here are some fresh benchmarks of a SATA 3.0 SSD+HDD with BCache from the Linux 4.8 Git kernel. Read more

Debian Project mourns the loss of Kristoffer H. Rose

Kristoffer was a Debian contributor from the very early days of the project, and the upstream author of several packages that are still in the Debian archive nowadays, such as the LaTeX package Xy-pic and FlexML. On his return to the project after several years' absence, many of us had the pleasure of meeting Kristoffer during DebConf15 in Heidelberg. Read more