[Oisf-devel] http evasion research

Ivan Ristic ivan.ristic at gmail.com
Thu Jun 13 14:06:56 UTC 2013


On Wed, Jun 12, 2013 at 9:53 PM, Ivan Ristic <ivan.ristic at gmail.com> wrote:
> I'll try to have a look at some of those by the end of the week
> (against libhtp 0.5.x).

Here's what I have found:

- On the inbound, a request that contains a T-E header with anything
but "chunked" will error out (i.e., the stream will error out).
- On the outbound, a T-E header in the response with anything but
"chunked" will be ignored. Content-Length will be used when available,
and if C-L is not available the body will stretch until the end of the
connection.

In the first instance, LibHTP should be raising flags for the invalid
response T-E header (and possibly response smuggling; I haven't looked
at this yet).

Other than that, the question is how do we handle these cases when
browsers interpret the same stream differently. Unlike with servers,
where we can determine and set the correct personality (in theory, I
wonder how many people would do that in practice), with outbound
traffic we can't choose any one approach.

The possibilities are as follows:
1. Raise flags as appropriate
2. Force dechunking
3. Process the same stream twice, with and without chunking

#1 is clearly easy and I suspect #2 would be fine, but more research
is needed. Perhaps this is something that we can work on for LibHTP
0.6.x.


> I am generally aware of those evasion opportunities, although my
> attention was more on the other side -- evading attacks when attacking
> web servers. For example, IIS will ignore a Transfer-Encoding server
> when HTTP 1.0 is used, but Apache will not.
>
>
> On Wed, Jun 12, 2013 at 7:16 PM, Victor Julien <victor at inliniac.net> wrote:
>> I think we should test how these researched cases are handled by
>> suricata and libhtp:
>>
>> http://noxxi.de/research/dubious-http.html
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>
>
>
> --
> Ivan Ristić



-- 
Ivan Ristić



More information about the Oisf-devel mailing list