Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Aging Ubuntu Software Center Is Another Reason Why Ubuntu Needs Snappy Packages

The Ubuntu Software Center is a great piece of technology that has lived its life and needs to either go away or go through a major transformation. The new Snappy packages that will be soon used in the Ubuntu desktop would be a great opportunity. Read more

How to Make Money from Open Source Platforms, Part 3: Creating a Product

What is the value of an open source platform? Would someone ever pay for it outright? Indeed, how does someone use an open source platform? Let’s start with the oldest and most significant of open source platforms, Linux. For the longest time, Linux was dismissed as a non-viable data center technology for “enterprise-grade” or “business critical” operations because it had no support model, no applications that ran on it and no obvious way to make money from it. How, then, did Linux become the engine that fueled the growth of the world’s open source ecosystem, an ecosystem that could be valued in the trillions of dollars, when calculating the percentage of the world’s economy that relies on open source systems? Was it just a bunch of hippies sharing the software and singing about it, or were there clear business reasons paving the way to its eventual victory? Read more

Raspberry Pi As Your Next Linux PC

Not that many years ago, buying a new PC meant spending hundreds of dollars just for an entry level machine. Fortunately these days the barrier to entry has been greatly reduced. Thanks to innovations in lower end computing options, one can get a brand new computer for the price of a steak dinner. The most commonly known of these lower-end computing options is known as the Raspberry Pi. Read more

Porteus Kiosk Edition 3.4.0 Is a Portable OS Based on Gentoo

Portable Linux operating system based on the Linux Live Scripts, Porteus Kiosk Edition, has been upgraded to version 3.4.0 and is now available for download. Read more