Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

FreeNAS, World’s Most Popular Storage OS, Gets AMD Ryzen Support, Cloud Sync

Coming six months after the release of the FreeNAS 11 stable series, the FreeNAS 11.1 update is based on FreeBSD 11.1 and introduces cloud integration, support for AMD Ryzen and Intel Xeon Scalable family of processors, OpenZFS performance improvements, as well as preliminary support for Docker application container engine through a virtual machine built from RancherOS. "FreeNAS 11.1 adds a cloud sync (data import/export to the cloud) feature," reads the announcement. "This new feature lets you sync (similar to backup), move (erase from source), or copy (only changed data) data to and from public cloud providers that include Amazon S3 (Simple Storage Services), Backblaze B2 Cloud, Google Cloud, and Microsoft Azure." Read more

Amazon Linux 2 Benchmarks, 6-Way Linux OS EC2 Compute Cloud Comparison

With Amazon AWS this week having released Amazon Linux 2 LTS I was excited to put this updated cloud-focused operating system through some performance tests to see how it stacks up with the more well known Linux distributions. Read more

Open Source “PiTalk” Turns Your Raspberry Pi Minicomputer Into A Modular Smartphone

More than a year ago, I wrote about a Raspberry Pi-powered phone called PiPhone, and the readers loved it. Just recently, I came across another similar project on Kickstarter and decided to share it on Fossbytes. Named PiTalk, the project calls itself the “first ever DIY modular smartphone.” Powered by Python, PiTalk modular smartphone is compatible with Raspberry Pi Zero, Pi 2, and Pi 3. For voice and data communication, it has a 3G module. The basic features performed by PiTalk are: Read more

antiX MX-17 Linux OS Brings Latest Debian GNU/Linux 9.3 "Stretch" Updates

Powered by Linux kernel 4.13 and using Xfce 4.12.3 as default desktop environment, antiX MX-17 comes six months after the antiX MX-16 release and promises to bring all the latest security patches and software update from the software repositories of the recently released Debian GNU/Linux 9.3 "Stretch" operating system. The MX variant ships with all the antiX live features, including persistence up to 20GB, and automatic selection of appropriate drivers for most Broadcom wireless chipsets with minimal user intervention. Being targeted at low-end computers, antiX MX-17 offers a 32-bit PAE kernel for machines with less than 4GB RAM. Read more