Tuesday, June 14, 2005

HTTP Request Smuggling

You may have seen this on Slashdot, but Garth Somerville sent me this link to a paper titled HTTP Request Smuggling (HRS) by Watchfire. You may remember Watchfire as the company that bought Web application security vendor Sanctum. Essentially HRS relies on sending conflicting values or malformed input in HTTP headers. Just as we saw years ago with IDSs, bad results happen when one product interprets commands on way and another product sees the world in a different way. I was pleased to see the Squid proxy server already addressed any problems back in April in two advisories.

The answer is strict HTTP parsing, but rest assured many products will continue to let malformed protocols pass. This is another case where a small set of commands or input should be allowed, and everything else should be denied. The Intrusion Prevention System (IPS) model of "deny some, allow everything else" will fail here.

No comments: