Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

RancherOS: A tiny Linux for Docker lovers

Like the various Linux server and desktop distributions, the container-oriented Linux distributions mix and match various projects and components to construct a complete container infrastructure. These distros generally combine a minimal OS kernel, an orchestration framework, and an ecosystem of container services. RancherOS not only fits the mold, but takes the minimal kernel and the container paradigm to extremes. Read more

Review: System76’s Galago Pro solves “just works” Linux’s Goldilocks problem

The Linux world has long maintained a very specific rite of passage: wiping the default operating system from your laptop and plugging in a USB stick with your favorite distro's live CD. Some of us get a little, dare I say, giddy every time we wipe that other OS away and see that first flash of GRUB. Of course, rites of passage are supposed to be one-time events. Once you've wiped Windows or OS X a time or two, that giddiness vanishes—replaced by a feeling of annoyance, a kind of tax on being a Linux user. Read more

Didier Roche: Ubuntu GNOME Shell in Artful: Day 3

After introducing yesterday a real GNOME vanilla session, let’s see how we are using this to implement small behavior differences and transforming current Ubuntu Artful. For more background on this, you can refer back to our decisions regarding our default session experience as discussed in my blog post. Read more

GNOME and Debian: Debian Turning 24, GNOME Turning 20

  • Debian Celebrates Its 24th Birthday
    Yesterday marked GNOME turning 20 while today Debian developers and users have its 24th birthday of the project to celebrate.
  • GNOME desktop environment for Linux and BSD is 20 years old today
    When many people think of Linux, they incorrectly assume it is an operating system. Actually, Linux is merely the kernel which many operating systems leverage. An actual operating system is compromised of many things, including a user interface -- after all, users need to interface with their computer! Most computer users will obviously want a graphical UI nowadays, and for BSD and Linux-based operating systems there are many such desktop environments from which to choose. One of the most popular environments is GNOME. Not only is GNOME a DE, but it has evolved into much more, such as a collection of apps and design rules (Human Interface Guidelines). Today, GNOME is celebrating a very important milestone -- it is an impressive 20 years old!
  • Happy birthday, GNOME!
    The GNOME desktop turns 20 today, and I'm so excited! Twenty years is a major milestone for any open source software project, especially a graphical desktop environment like GNOME that has to appeal to many different users. The 20th anniversary is definitely something to celebrate!
  • Linux desktop GUI GNOME celebrates its 20th birthday
    By 1997, there had long been graphical Unix and Linux graphical user interface (GUI) desktops, but none of them had gathered much support. KDE, which was destined to become a major desktop, had started in 1996, but it was still facing opposition for its use of the Qt license. The GNOME Project, founded by Miguel de Icaza and Federico Mena Quintero on August 15, 1997, was created to build a GUI without the use of any non-General Public License (GPL) software. Thus, a struggle began between the two Linux desktops, which continues to this day.