Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Raspberry Pi Foundation's Code Club teaches kids skills to compete in our digital world

For some time, the UK's technology sector has been concerned about finding the right skilled workers to fill jobs in the future. This predicted "digital skills gap" warns that unless we help people to become confident with technology now, we will be facing a huge shortage in skilled workers in the future. One way to overcome the digital skills gap is to invest in training and education for the next generation. Code Club is a network of free coding clubs for primary school students, and all of the projects we work on are open source. There are over 4,500 Code Clubs currently in the UK, reaching an estimated 75,000 children. Read more

The long-awaited Maru OS source release

Hey guys, I'm happy to announce that Maru has been fully open-sourced under The Maru OS Project! There are many reasons that led me to open-source Maru (https://blog.maruos.com/2016/02/11/maru-is-open-source/), but a particularly important one is expanding Maru's device support with the help of the community. If you'd like to help out with a device port (even just offering to test a new build helps a lot), let the community know on the device port planning list (https://groups.google.com/forum/#!topic/maru-os-dev/YufKu...) . We currently have a few Nexus, LG, and Motorola builds being planned. If you don't see your device on there and would like to help with development or testing, please do chip in and we'll get it added to the list. Read more

KaOS Brings Serious Relevance Back to KDE

If you’ve been looking for a distribution to sway you back to the KDE desktop, look no further than KaOS. It’s beautiful, runs with the snap of a much lighter desktop, and feels as reliable as any other option available for Linux. I haven’t been this impressed with KDE for a very, very long time. And, I am certain users would find themselves equally happy to return to a desktop that has long needed a champion like KaOS. Read more

Another Set of Updated Fedora 24 Linux Live ISO Images Are Now Ready to Download

Fedora Unity Project leader and Fedora AmbassadorBen Williams proudly announce the release of yet another set of updated Live ISO images for the Fedora 24 Linux operating system. Read more