Host of Troubles : Multiple Host Ambiguities in HTTP Implementations By Revanth Mohan rmoh937@aucklanduni.ac.nz

Perhaps the most permissive widely deployed protocol is HTTP. Although the request format is tightly specified [6], many implementations are quite broad in what they actually accept. Some variations appear harmless in a single product, but inconsistent interpretation between different parties can have drastic consequences. Attackers can exploit this permissiveness when two different devices interpret the same liberal response differently. The problem arises when an attacker can generate a direct HTTP request (such as by using Flash on a victim's web browser) where the request contains multiple, ambiguous mechanisms to define the target host, such as multiple Host headers or a Host header combined with an absolute URI in the request-line.

HTTP Protocol Client – Server Protocol Main Purpose : Used for locating resources by recipient Consists of : Request Line Request Header Optional Message Body Request Header consists of a header know as the “Host Header” which defines the Host. It is used for routing in an environment where multiple domains are mapped to the same IP Address. Host can also be represented in the absolute-URI. HTTP supports intermediates

Host Definition : A host is a computer that is connected to a network. The term usually refers to a computer that is connected to a TCP/IP network, including the Internet. Each host on such a network has a unique IP address. Different ways to define host in a request Host Header Request URI

Intermediates Forward Proxy (Downstream *) Interception Proxy / Transparent Cache Reverse Proxy (Upstream *) Content Delivery Networks Firewalls Downstream means intermediates closer to the origin of the request Upstream – Intermediates closer to the recipient

Problem – Multiple Host Ambiguities If one in-path device (such as acache proxy or firewall) interprets the request one way but the final destination (such as a Content Delivery Network (CDN) or other co-hosting service providers) interprets it differently, the result may be an exploitable semantic inconsistency. These can enable cache poisoning and filter bypass, which we frame as “Host of Troubles". What is multiple host ambiguity? An ambiguity caused by different ways in which a host is defined for a HTTP Request.

Different ways in which ambiguity occur: Multiple Host Header : several host headers used for a single request Space surrounded Host Header : spaces in front or back of the host header value Absolute-URI as request target : Both absolute-URI and host headers are used Upstream – Downstream combinations : Different interpretations at each level of intermediates.

RFC 2616 and RFC 7230 RFC – Request for Comment (RFC) is a formal document from the Internet Engineering Task Force ( IETF ) that is the result of committee drafting and subsequent review by interested parties. RFC 2616 - Multiple header fields with the same field-name MAY be present if and only if the entire field-value for that header field is defined as a comma- separated list. This means that multiple header fields are not allowed. RFC 7230 - A sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list [i.e., #(values)] or the header field is a well- known exception (like cookies).

Adverse Effects of Host Ambiguity HTTP Cache Poisoning

How it happens? User A makes an ambiguous request and request passes through a transparent cache Value at Host header is taken as the “HOST” by the transparent cache Site B is mapped/stored as Site A in the transparent cache Victim makes a request to Site A Victim is served with Site B instead of Site A

Security Policy Bypass

Findings 33 Implementations were used for conducting several studies including 6 servers, 2 transparent caches, 3 forward proxies, 7 reverse proxies, 8 CDNs, and 7 firewalls. 25 out of 33 tested implementations do not follow RFC 2616 or RFC 7230 specifications to reject requests containing multiple Host headers. Space surrounded host header : 10 distinct behaviours among 33 implementations. Only 5 implementations comply with RFC 2616 and 2 comply with RFC 7230. 16 implementations appear to forward space surrounded Host headers to the upstream 128 out of 202 cases of host inconsistency are between firewalls (downstream) and other implementations (upstream). RFC 2616 states that a request with multiple same name headers is allowed only if the value of this header is defined as a single comma-separated list, which implies that a request with multiple Host headers is invalid. RFC 7230 explicitly species that requests with multiple . Host headers must be reject with 400 Bad Request.

Study conducted on transparent caches A Flash applet hosted in 2 different servers under 3 domains was used to study the number of IP address vulnerable to cache poisoning attacks and it was discovered 15677 were vulnerable out of 16168 IP address. India is the most prone country for such attacks followed by Philipines, China and New Zealand. reported these to CERT/CC and affected vendors, who are actively addressing them.

Criticism Suggestions Black box testing procedure and methodologies were not discussed. The online-checker working, functionality was not discussed. Suggestions A governing organisation can be introduced to address this issue, CDN and other intermediates should get approval / endorsement before they go live. Security applications should intervene ambiguous requests made from the source and block them. Even though the black box testing for analysis of parsing and interpreting crafted ambiguous request was explained in a detailed manner, the exact method and procedures used were not discussed such as the request used the services that were targeted

asdfasdfasdf