Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Elive 2.7.1 beta released

The Elive Team is proud to announce the release of the beta version 2.7.1 This new version includes: Audacity (audio wave editor) included by default Timezone detection improved Detector of systems improved and updated to detect last windows installed systems Linux Kernel updated with a lot of new patches for new hardware, bugfixes and improvements Google Voice search on internet using your microphone Read more

How To Setup Linux Web Server And Host Website On Your Own Computer [Part - 2]

Welcome, everyone. It is the second part of how we can setup Linux Web Server and host website on our own Computer. There are some prerequisites to hosting Linux Web Server that we talked about in part 1. If you've not installed Apache web server or any other prerequisite then you must visit Part 1 before reading any further. In this article, we will show you how you can easily make your local website available for the rest of World! So let's get started. Read
more

15 top Android smartphones we reviewed recently

The second half of 2016 took off with some exciting launches from notable manufacturers like Motorola, HTC, Xiaomi and others. With so many smartphones being launched on a near-daily basis by brands both big and small, it gets quite difficult to keep track of them. To help our readers in making their purchase decisions, here is a list of the 15 top Android smartphones we reviewed recently. Take a look. Read more

Ubuntu tablet and smartphone: a personal "mini" review

So when Ubuntu and Canonical revealed they were partnering with actual, big manufacturers for Ubuntu mobile devices, a spark of hope was rekindled in my heart. Let it be clear, I am by no means an Ubuntu user, not even a fan. I left the fold nearly a decade ago, after having spent quite some time using and contributing to Kubuntu (to the point of becoming a certified “member” even, though I never ascended to the Council). In terms of loyalties and usage, I am a KDE user (and “helper”) foremost. I use Fedora because it just works for me, for now. So, yes, an Ubuntu Touch device would be another compromise for me, but it would be the smallest one. Or so I hoped. Read more