Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

GNOME Boxes 3.18.1 QEMU-Based Virtualization App Brings More Fixes

While the developers of the GNOME desktop environment are working hard these days to push the first point release of GNOME 3.18 to users worldwide, package maintainers have also prepared various updates to the project's core components and applications. Read more Also: GNOME's Cheese Webcam Viewer App Gets Better Video Preview Scaling and Resizing

Fedora 23 Final Freeze Now In Effect, the Linux OS Arrives on October 27

According to the official release schedule for the forthcoming Fedora 23 Linux operating system, the day of October 13, 2015, marked the Final Freeze milestone in the distribution's development cycle. Read more

Moto 360 (2015) Review: The Most Watch-Like Android Wear Device Yet

Motorola kicked off the age of Android Wear when it announced the original 360 more than six months before it was finally released. It was a beautiful piece of hardware, but was saddled with an ancient TI OMAP ARM chip and recessed lugs that led to cracked back panels. The second generation device addresses many of the shortcomings of that wearable, but some of them are still staring you in the face. Still, it might be the watch you've been waiting for. Read more

Linux Kernel 3.2.72 LTS Is Full of Improvements, Users Urged to Update Now

Just a few moments ago, Ben Hutchings, the maintainer of the long-term supported Linux 3.2 kernel series, has had the pleasure of informing Linux users about the immediate availability for download of Linux kernel 3.2.72 LTS. Read more