Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Patch By Patch, LLVM Clang Gets Better At Building The Linux Kernel

With each kernel revision, LLVM Clang gets closer to being able to build the mainline Linux kernel. There's now just a few dozen patches outstanding for LLVMLinux to be a mainline success. Behan Webster gave his usual talk at LinuxCon in Chicago this week about the state of LLVMLinux -- building the Linux kernel with Clang rather than GCC. There's been many Phoronix articles about the topic so there isn't too much more to share beyond that many developers want to use Clang to compile the Linux kernel to lead to better code portability of the kernel, faster compilation times of Clang, potential performance differences, LLVM and Clang are more liberally licensed, and there's a host of other development extras with Clang. Read more

Today in Techrights

Wayland and Weston 1.6 alpha snapshot (1.5.91)

release plan continues as follows: - two weeks to let the alpha version stabilize, and only merge small features along with bug fixes - RC1 release on September 5th, Friday - bugfixing - RC2 release on September 12th, Friday - hopefully no more bugfixing much - 1.6.0 release on September 19th, Friday - at some point later master branch opens again for all new things. Read more

Munich Council Say Talk of LiMux Demise Is Greatly Exaggerated

A Munich city council spokesman has attempted to clarify the reasons behind its plan to re-examine the role of open-source software in local government IT systems. Read more