Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Windows Phone Shrinks In Android-Dominated Europe, As New iPhones Boost iOS’ Share

Spare a thought for Microsoft, a relative newcomer to the mobile making business, after Redmond completed its $7.2BN+ acquisition of former European mobile making powerhouse Nokia earlier this year. If Microsoft was hoping to see quick marketshare wins in Europe once its hands were fully on the levers of production that has not come to pass. The latest 12-week smartphone sales figures from Kantar Worldpanel ComTech, up to this September, indicate that Windows Phone’s already small share of the smartphone market has shrunk in Europe — dropping 0.3 percentage points in aggregate across the top five markets in Europe (the UK, France, Spain, Italy and Germany). Read more

35 Essential Android Apps for Daily Use

This list of essential Android apps are the ones you must have apps you need every day. They help with email, weather, music, and handful of other essential tasks. Read more

Linux Kernel Finally Being Optimized For SSHDs

The Linux kernel is finally being optimized for use of solid-state hybrid drives (SSHDs) that follow the ATA 3.2 standard. Read more

A Good Puppy, Urban Legends, and Kubuntu Plasma 5

While perusing the nighly newsfeeds the release of Puppy Linux 6.0 was mentioned. Jonathan Riddell said the next release of Kubuntu will feature Plasma 5 and Chris Hoffman is reporting Unity 8 will allow more privacy. And finally tonight, Bruce Byfield has seven reasons LibreOffice is better than OpenOffice. Read more