[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 6 Jun 2005 16:17:55 +0300
From: "Ory Segal" <osegal@...chfire.com>
To: <BUGTRAQ@...URITYFOCUS.COM>,
<webappsec@...urityfocus.com>,
<websecurity@...appsec.org>,
<wasc-technical@...appsec.org>
Subject: [WEB SECURITY] A new whitepaper by Watchfire - HTTP Request Smuggling
Hello,
Today, Watchfire released a new whitepaper, titled "HTTP Request
Smuggling". The full paper can be found in the following link:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
<BLOCKED::http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf>
The paper's abstract is copied below:
"We describe a new web entity attack technique - "HTTP Request
Smuggling". The attack technique and the derived attacks are relevant to
most web environments and is the result of a HTTP server or device's
failure to properly handle malformed inbound HTTP requests. HTTP Request
Smuggling works by taking advantage of the discrepancies in parsing when
one or more HTTP devices/entities (e.g. Cache Server, Proxy Server, Web
Application Firewall, etc.) are in the data flow between the user and
the web server. HTTP Request Smuggling enables various attacks - web
cache poisoning, session hijacking, cross-site scripting and most
serious the ability to bypass web application firewall protection. HTTP
Request Smuggling sends multiple specially-crafted HTTP requests that
cause the two attacked entities to see two different sets of requests,
allowing the hacker to smuggle a request to one device without the other
device being aware of it. In the Web Cache poisoning attack, this
smuggled request will trick the cache server into unintendedly
associating a URL to another URL's page (content), and caching this
content for the URL. In the Web Application Firewall attack the smuggled
request could be a worm (like Nimda or Code Red) or buffer overflow
attack targeting the web server. Finally, because HTTP Request Smuggling
enables the attacker to insert or sneak a request into the flow it
allows the attacker to manipulate the web server's request/response
sequencing which can allow for credential hijacking and other malicious
outcomes."
Thank you,
Ory Segal
Director of Security Research
Watchfire (Israel) LTD.
Tel: +972-9-9586077, Ext.236
Mobile: +972-54-7739359
e-mail: osegal <BLOCKED::mailto:osegal@...chfire.com> at watchfire.com
Content of type "text/html" skipped
Powered by blists - more mailing lists