Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

Debian-Based Robolinux 8.6 Adds Over 275 Important Security and Software Updates

The developer of the Debian-based Robolinux computer operating system announced the release of the sixth maintenance update to the Robolinux 8 LTS "Raptor" series of his GNU/Linux distribution. Read more

Linux Kernel 4.8 Lands October 2 as Linus Torvalds Outs Last Release Candidate

It's still Sunday in U.S. so Linus Torvalds has just published his weekly announcement to inform us all about the availability of the eighth and last RC (Release Candidate) development snapshot of the upcoming Linux 4.8 kernel. Read more

Desktop virtualisation kit-calculator goes open source

The tool has gone through a number of iterations over the years, extending its capabilities to assess the infrastructure requirements of ever-more virtual desktops along the way while also keeping up with changes to VMware's Horizon and Citrix's XenDesktop. But Leibovici says he's now sufficiently busy that “Unfortunately I find myself without time to maintain the VDI calculator, therefore I decided that the best outcome would be to open-source the app and let the community drive maintenance and innovation.” Hence its publication under an Apache 2.0 licence here on GitHub. Read more

LXQt 0.11.0 Desktop Environment Arrives After Almost One Year of Development

After being in development for the past eleven months, the next major release of the lightweight, Qt-based LXQt desktop environment has been officially released and it's available for download. Read more