Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under
Security

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

KDevelop 5.0.0 release

Almost two years after the release of KDevelop 4.7, we are happy to announce the immediate availability of KDevelop 5.0. KDevelop is an integrated development environment focusing on support of the C++, Python, PHP and JavaScript/QML programming languages. Many important changes and refactorings were done for version 5.0, ensuring that KDevelop remains maintainable and easy to extend and improve over the next years. Highlights include much improved new C/C++ language support, as well as polishing for Python, PHP and QML/JS. Read more

CoreOS 1068.10.0 Released with Many systemd Fixes, Still Using Linux Kernel 4.6

Today, August 23, 2016, the development team behind the CoreOS security-oriented GNU/Linux operating system have released the CoreOS 1068.10.0 stable update, along with new ISO images for all supported platforms. Read more

SUSE Linux and openSUSE Leap to Offer Better Support for ARM Systems Using EFI

The YaST development team at openSUSE and SUSE is reporting on the latest improvements that should be available in the upcoming openSUSE Leap 42.2 and SUSE Linux Enterprise 12 Service Pack 2 operating systems. Read more

Create modular server-side Java apps direct from mvn modules with diet4j instead of an app server

In the latest release, the diet4j module framework for Java has learned to run modular Java apps using the Apache jsvc daemon (best known from running Tomcat on many Linux distros). If org.example.mydaemon is your top Maven project, all you do is specify it as the root module for your jsvc invocation, and diet4j figures out the dependencies when jsvc starts. An example systemd.service file is available.