Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Samsung Officially Launches their Tizen Curved SUHD 4K TVs in the Philippines

The new line of Tizen 4K Samsung SUHD TVs has now officially been launched in the Philippines at an event held a few days ago. The new line-up of TVs includes the JS9500, JS9000 and JS8500 models, supporting screen sizes ranging from 55 to 88 inches. Samsung boasts that their TV technology, which uses nano-crystal semiconductors, leads in color and brightness compared to its competitors. Read more

Cloudsto X86 Nano PC is a tiny desktop with Ubuntu Linux (or Windows)

The folks at UK retailer Cloudsto have been offering tiny desktop computers loaded with Ubuntu Linux for a little while. But most have basically been Ubuntu versions of existing Android boxes with ARM-based processors. Now Cloudsto is introducing a line of mini PCs with x86 processors, starting with the Cloudsto X86 Nano Mini PC. It’s available with either Windows 8.1 or Ubuntu 14.04. Read more

EMC to open-source ViPR - and lots of other stuff apparently

ViPR is software storage controller tech that separates the control and data planes of operation, enabling different data services to be layered onto a set of storage hardware products - such as EMC's own arrays, Vblocks, selected third-party arrays, JBODs and cloud storage. The data services are typically ways of accessing data, such as file services, The open source software will be called Project CoprHD* and be made available on GitHub for community development. It will include all the storage automation and control functionality and be supplied under the Mozilla Public License 2.0 (MPL 2.0). Public supporting partners for CoprHD are Intel, Verizon and SAP. Read more