Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Good Guy NVIDIA Releases New Linux Legacy Driver for Users with Old Cards

NVIDIA has released a new branch of Legacy drivers for the Linux platform and they are the most advanced versions you can get right now for old video cards. Read more

5 Reasons Your Company Should Open Source More Code

Given intense competition for the world's best engineering talent, can your company really afford to lock up its code behind proprietary licenses? Sure, if you're in the business of selling software, giving it all away may not make sense. But the vast majority of companies don't sell software, and should be contributing a heck of a lot more as open source. Read more

Docker chief operator: Why the open source container project is taking a new shape

With a quadrupling of contributors over the past year, the open-source Docker container project has unveiled a new structure aimed at dealing with that accelerating growth. The reorganisation, which itself went through the community's design process, is intended to increase Docker's openness and accessibility, and enable the project to increase in size massively without affecting core qualities, such as response times and good communication. Read more

Linux Kernel 3.18.4 Is Now the Most Advanced and Stable Version Available

A fresh version of the Linux kernel, 3.18.4, has been released by Greg Kroah-Hartman and is now available for download. This is now the most advanced version you can find and it will remain like this at least for the next couple of weeks. Read more