Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Meet Cornelius Schumacher - Akademy Keynote Speaker

At Akademy 2014, outgoing KDE e.V. Board President Cornelius Schumacher will give the community keynote. He has attended every Akademy and has been amazed and inspired at every one of them. If you want more of what KDE can bring to your life, Cornelius's talk is the perfect elixir. Here are glimpses of Cornelius that most of us have never seen. They give a sense of what has made him a successful leader of KDE for several years. Read more

PLASMA ACTIVE PORTED TO KF5

The GSoC might have come to an end, but I am very happy with the progress that we have made porting the Plasma Active to KF5. In my previous blogposts i have describe some of the stuff which they have been ported. So at the moment a lot of the basic features have come back to the Plasma Active, so yes it is at a usable state :) One of the big changes is that Nepomuk has been replaced with Baloo. Despite the fact that a lot of the Nepomuk stuff has been ported, there are still some things left, for example the timeline and tag support on the active-filebrowser. Read more

Mozilla Unveils $33 Intex Cloud FX Smartphone

Mozilla is targeting first time smartphone buyers who haven’t yet upgraded their basic feature phones because of high prices or technology specifications. In an interview with The Wall Street Journal, Jane Hsu, director of product marketing at Mozilla based in Taiwan, explains how the company was able to bring down the cost of smartphones and discusses Mozilla’s future plans. Read more

Appliance maker Electrolux joins IoT-focused AllSeen Alliance

The group is one of the more diverse consortiums, with members ranging from consumer electronics and chipset manufacturers to retailers and service providers. Primarily, work revolves around the AllJoyn open-source framework, which AllSeen said acts as a universal translator for objects and devices to interact. Read more