Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / February 2006

Tip: Looking for answers? Try searching our database.

HTTP content-length a security risk?

Thread view: 
Enable EMail AlertsStart New Thread
Roedy Green - 13 Feb 2006 21:55 GMT
Here is a little correspondence I had with my ISP

> > 2. When I try downloading it myself with Opera, it downloads fine and
> > checks out, but Opera says its size is "?".  Presumably the server is
> > failing to send the optional length on the front of the download.

A recent security/compatibility update to Apache2 is the reason for
this behaviour.  The serious problems occur when "Transfer-Encoding:
chunked" is sent by Apache2 in the HTTP headers -- this specific
header, which improves performance, is not compatible with, and also
causes a security problem (I'm not sure why, and I remain skeptical of
this particular claim, but I'm comfortable with the compatibility
justification), can't be sent as well, so Apache2 omits it.

Anyone know anything about this? Why would using content-length
present a security risk?
Signature

Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Reply to this Message
Thomas Hawtin - 13 Feb 2006 22:13 GMT
> Anyone know anything about this? Why would using content-length
> present a security risk?

I don't know about this case, but there was a case were Java applets
could persuade a proxy that the HTTP (1.1 or 1.0 with extras) request
had finished when the JRE didn't think it had. The applet could then
send data which the proxy took as another request. I assume the applet
could do that by sliding in a content-length header, or something similar.

You might think this is known, has been fixed and therefore isn't a
problem. However, security bugs seem to have a habit of reoccurring.
Last year Sun took three attempts to fix much the same critical Java bug
that appeared seven times (although apparently requiring differing
levels of ingenuity to exploit).

Tom Hawtin
Signature

Unemployed English Java programmer
http://jroller.com/page/tackline/

Reply to this Message
Chris Uppal - 14 Feb 2006 14:07 GMT
> Anyone know anything about this? Why would using content-length
> present a security risk?

HTTP request splitting, one tool for request smuggling, cache
poisoning, and other fun and games.

Good paper (which seems to require registration these days) here:
    http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf

Short summary (no registration) here:
    http://www.securiteam.com/securityreviews/5GP0220G0U.html

Just one more proof that a little complexity is a dangerous thing.

Here's the "Executive Summary" from the paper:

==========
HTTP Request Smuggling works by taking advantage of the discrepancies
in parsing when one or more HTTP devices/entities (e.g. cache server,
proxy server, web application firewall, etc.) are in the data flow
between the user and the web server. HTTP Request Smuggling enables
various attacks – web cache poisoning, session hijacking, cross-site
scripting and most importantly, the ability to bypass web application
firewall protection. It sends multiple specially crafted HTTP requests
that cause the two attacked entities to see two different sets of
requests, allowing the hacker to smuggle a request to one device
without the other
device being aware of it. In the web cache poisoning attack, this
smuggled request will trick the cache server into unintentionally
associating a URL to another URL’s page (content), and caching this
content for the URL. In the web application firewall attack, the
smuggled request can be a worm (like Nimda or Code Red) or buffer
overflow attack targeting the web server. Finally, because HTTP Request
Smuggling enables the attacker to insert or sneak a request into the
flow, it allows the attacker to manipulate the web server’s
request/response sequencing which can allow for credential hijacking
and other malicious outcomes.
==========

   -- chris
Reply to this Message
Roedy Green - 14 Feb 2006 18:18 GMT
On 14 Feb 2006 14:07:11 GMT, "Chris Uppal"
<chris.uppal@metagnostic.REMOVE-THIS.org> wrote, quoted or indirectly
quoted someone who said :

>HTTP Request Smuggling works
I would think the basic idea is the length is specified two ways and
software can get confused if they don't match.  I would have thought
the solution would be to take content length with a grain of salt,
rather than delete it.  Somebody malicious in the middle could put it
back.

Signature

Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.