Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

High School's Help Desk Teaches Open Source IT Skills

The following is an adapted excerpt from chapter six of The Open Schoolhouse: Building a Technology Program to Transform Learning and Empower Students, a new book written by Charlie Reisinger, Technology Director for Penn Manor School District in Lancaster County, Pennsylvania. In the book, Reisinger recounts more than 16 years of Linux and open source education success stories. Penn Manor schools saved over a million dollars by trading proprietary software for open source counterparts with its student laptop program. The budget is only part of the story. As Linux moved out of the server room and onto thousands of student laptops, a new learning community emerged. Read more

What’s New with Xen Project Hypervisor 4.8?

I’m pleased to announce the release of the Xen Project Hypervisor 4.8. As always, we focused on improving code quality, security hardening as well as enabling new features. One area of interest and particular focus is new feature support for ARM servers. Over the last few months, we’ve seen a surge of patches from various ARM vendors that have collaborated on a wide range of updates from new drivers to architecture to security. Read more

Kali Alternative: BackBox Linux 4.7 Arrives With Updated Hacking Tools

BackBox Linux is an Ubuntu-based operating system that’s developed with a focus on penetration testing and security assessment. If you take a look at our list of top 10 ethical hacking distros, BackBox ranks in top 3. This alternative of Kali Linux operating system comes with a variety of ethical hacking tools and a complete desktop environment. The software repositories of the hacking tools included in BackBox Linux too are frequently updated. Earlier this year in May, we witnessed the release of BackBox Linux 4.6 that was based on kernel 4.2 and Ubuntu 15.10. Read more

Linux Distributions vs. BSDs With netperf & iperf3 Network Performance

With now having netperf in the Phoronix Test Suite as well as iperf3 for the latest open-source benchmarks in our automated cross-platform benchmarking framework, I couldn't help but to run some networking benchmarks on a system when trying out a few different Linux distributions and BSDs to see how the performance compares. The operating systems ran with these networking benchmarks included Debian 8.6, Ubuntu 16.10, Clear Linux 12020, CentOS 7, and Fedora 25. The BSDs tested for this comparison were FreeBSD 11.0 and DragonFlyBSD 4.6.1. Read more