Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Red Hat Enterprise Linux 7.1 Officially Released with Support for Linux Containers

Red Hat was proud to announce earlier today, March 5, the availability of the first maintenance release of its Red Hat Enterprise Linux 7 operating system for computers, used in numerous enterprises worldwide. Red Hat Enterprise Linux 7.1 contains a great amount of bug fixes and improvements over the previous release, as well as various new features. Read more Also: iSER target should work fine in RHEL 7.1

Help: Linux to the rescue of older operating systems

As you know, when someone offers free stuff, we give it a few weeks in order to give each group, organization or individual in need a chance to respond. That’s what we’ll do with Mary Greenfield’s generous offer to donate free fabric, so give it another week and then we’ll forward responses to her. One of the most rewarding aspects of writing this column is realizing that it generates discussion, and here’s a response to that question about updates for an older computer running Windows ME... Read more

Open source used to manage Figueres’ environment

The Spanish town of Figueres is relying on free and open source software to help manage its urban and natural environment. Fisersa Ecoserveis, an environmental company, is using a range of open source solutions to create, update and manage interactive geographic maps, used for monitoring and planning the city’s green spaces. Read more

I/O-rich SBC runs Linux on Cortex-A9 Sitara SoC

MYIR launched a “Rico” SBC for TI’s Cortex-A9 AM437x SoC, with an open Linux BSP, 4GB of eMMC flash, and coastline GbE, HDMI, and USB host and device ports. Read more