Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

today's howtos

Spaceman Shuttleworth Finds Earthly Riches With Ubuntu Software

He’s best known for being the world’s first “Afronaut,” but since returning to Earth from his 2002 trip on Russia’s Soyuz TM-34 rocket ship, Cape Town native Mark Shuttleworth set about with the conquest of a much more lucrative universe: the internet-of-things. Shuttleworth created Ubuntu, an open-source Linux operating system that helps connect everything from drones to thermostats to the internet. His company, Canonical Group Ltd., makes money from about 800 paying customers, including Netflix Inc., Tesla Inc. and Deutsche Telekom AG, which pay for support services. Its success has helped boost his net worth to $1 billion, according to the Bloomberg Billionaires Index. “It’s destructive to be too focused on that,” Shuttleworth said of his wealth in an interview at Bloomberg’s office in Boston. “It’s just a distraction from whether you have your finger on the pulse of what’s next.” Read more Also:

  • Rocket.chat communication platform enables simplicity through snaps
    Created in Brazil, Rocket.Chat provides an open source chat solution for organisations of all sizes around the world. Built on open source values and a love of efficiency, Rocket.Chat is driven by a community of contributors and has seen adoption in all aspects of business and education. As Rocket.Chat has evolved, it has been keen to get its platform into the hands of as many users as possible without the difficulties of installation often associated with bespoke Linux deployments.
  • The Silph Road embraces cloud and containers with Canonical
    The Silph Road is the premier grassroots network for Pokémon GO players around the world offering research, tools, and resources to the largest Pokémon GO community worldwide, with up to 400,000 visitors per day Operating a volunteer-run, community network with up to 400,000 daily visitors is no easy task especially in the face of massive and unpredictable demand spikes, and with developers spread all over the world.With massive user demand and with volunteer developers located all over the world, The Silph Road’s operations must be cost-effective, flexible, and scalable. This led the Pokémon GO network first to cloud, and then to containers and in both cases Canonical ’s technology was the answer.

How to Install Arch Linux

Installing Arch Linux could be a tidious and tricky task. Here's how to do it the right way. Read more

Turi as FOSS

  • Fruit of an acquisition: Apple AI software goes open
    Apple's joined other juggernauts of the tech sector by releasing an open source AI framework. Turi Create 4.0, which landed at GitHub recently, is a fruit of its 2016 US$200 million acquisition of Turi. As the GitHub description explains, it targets app developers that want custom machine learning models but don't have the expertise to “add recommendations, object detection, image classification, image similarity or activity classification” to their apps.
  • Apple Releases Turi ML Software as Open Source
    Apple last week released Turi Create, an open source package that it says will make it easy for mobile app developers to infuse machine learning into their products with just a few lines of code. “You don’t have to be a machine learning expert to add recommendations, object detection, image classification, image similarity, or activity classification to your app,” the company says in the GitHub description for Turi Create. “Focus on tasks instead of algorithms.”