Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Manjaro Linux Xfce 15.09 RC1 Features Linux Kernel 4.1 LTS and Xfce 4.12

Philip Müller, the lead developer and creator of the Manjaro Linux project, had the pleasure of announcing the immediate availability for download of the first Release Candidate build of the upcoming Manjaro Linux Xfce 15.09 distribution. Read more

Google Chrome 46 Enters Beta with Flexible Animations, Optimized Image Loading

After announcing the promotion of the Google Chrome 45 web browser to the stable channel on September 1, Google pushed earlier today, September 2, the Chrome 46 web browser to the Beta channel for testers worldwide. Read more

Phoronix offers some criticism of KDE software, and this is how KDE deals with it

About a month ago, Eric Griffith posted an article on Phoronix where he compared Fedora’s KDE spin to the main Fedora Workstation which uses GNOME. In that article, Eric described a number of issues that he became fully aware of when comparing his favorite desktop environment, Plasma (and the KDE applications he regularly uses) with GNOME’s counterparts. I read that article, shared it with other KDE designers and developers, and we came to the conclusion that yes, at least some of the issues he describes there are perfectly valid and clearly documented. And since KDE does listen to user feedback if it makes sense, we decided we should do something about it. Read more

Trinity Desktop Environment Now Supports Ubuntu 15.04, ARM64, and PPC64le

The developers behind the TDE (Trinity Desktop Environment) project, an open-source desktop environment that keep the spirit of KDE3.5 alive, have announced the immediate availability for download of Trinity Desktop Environment R14.0.1. Read more