Host of Troubles : Multiple Host Ambiguities in HTTP Implementations

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

(4.4) Internet Protocols Layered approach to Internet Software 1.
Network Layer and Transport Layer.
Examining IP Header Fields
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Internet Basics.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Chapter 6: Packet Filtering
2013Dr. Ali Rodan 1 Handout 1 Fundamentals of the Internet.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
1.1 What is the Internet What is the Internet? The Internet is a shared media (coaxial cable, copper wire, fiber optics, and radio spectrum) communication.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
1 Figure 3-2: TCP/IP Standards (Study Figure) Origins  Defense Advanced Research Projects Agency (DARPA) created the ARPANET  An internet connects multiple.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
The Intranet.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
SIP working group IETF#70 Essential corrections Keith Drage.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
1 OSI and TCP/IP Models. 2 TCP/IP Encapsulation (Packet) (Frame)
1 Chapters 2 & 3 Computer Networking Review – The TCP/IP Protocol Architecture.
SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)
Search Engine using Web Mining COMS E Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
TOOLS FOR PROXYING. Tools for Proxying Many available applications provide proxy capabilities. The major commercial vendors have embraced hybrid technologies.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Internet Protocol Version4 (IPv4)
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Internet and World Wide Web Introduction to the Internet.
Defining Network Infrastructure and Network Security Lesson 8.
Web and Proxy Server.
Module 3: Enabling Access to Internet Resources
The Intranet.
How HTTP Works Made by Manish Kushwaha.
Enabling Secure Internet Access with TMG
Introduction to the WWW
CONNECTING TO THE INTERNET
IP-NNI Joint Task Force Status Update
Internet and Intranet.
Introduction To Web Design
E-commerce | WWW World Wide Web - Concepts
E-commerce | WWW World Wide Web - Concepts
Host of Troubles Multiple Host Ambiguities in HTTP Implementations
Web Design Introduction to the Internet Week One
Introduction Web Environments
Introduction to Networking
Introduction to Networking
Internet Protocol: Connectionless Datagram Delivery
Working at a Small-to-Medium Business or ISP – Chapter 7
Net 323: NETWORK Protocols
IP-NNI Joint Task Force Status Update
Working at a Small-to-Medium Business or ISP – Chapter 7
Internet and Intranet.
Application layer Lecture 7.
ACT102 Introduction to web design
Working at a Small-to-Medium Business or ISP – Chapter 7
Web Design & Development
CS134 Web Design & Development
ACT102 Introduction to web design
Internet and Intranet.
TCP/IP Protocol Suite: Review
Lecture 2: Overview of TCP/IP protocol
William Stallings Data and Computer Communications
AbbottLink™ - IP Address Overview
Delivering the Data.
Internet and Intranet.
Presentation transcript:

Host of Troubles : Multiple Host Ambiguities in HTTP Implementations By Revanth Mohan rmoh937@aucklanduni.ac.nz

Perhaps the most permissive widely deployed protocol is HTTP. Although the request format is tightly specified [6], many implementations are quite broad in what they actually accept. Some variations appear harmless in a single product, but inconsistent interpretation between different parties can have drastic consequences. Attackers can exploit this permissiveness when two different devices interpret the same liberal response differently. The problem arises when an attacker can generate a direct HTTP request (such as by using Flash on a victim's web browser) where the request contains multiple, ambiguous mechanisms to define the target host, such as multiple Host headers or a Host header combined with an absolute URI in the request-line.

HTTP Protocol Client – Server Protocol Main Purpose : Used for locating resources by recipient Consists of : Request Line Request Header Optional Message Body Request Header consists of a header know as the “Host Header” which defines the Host. It is used for routing in an environment where multiple domains are mapped to the same IP Address. Host can also be represented in the absolute-URI. HTTP supports intermediates

Host Definition : A host is a computer that is connected to a network. The term usually refers to a computer that is connected to a TCP/IP network, including the Internet. Each host on such a network has a unique IP address. Different ways to define host in a request Host Header Request URI

Intermediates Forward Proxy (Downstream *) Interception Proxy / Transparent Cache Reverse Proxy (Upstream *) Content Delivery Networks Firewalls Downstream means intermediates closer to the origin of the request Upstream – Intermediates closer to the recipient

Problem – Multiple Host Ambiguities If one in-path device (such as acache proxy or firewall) interprets the request one way but the final destination (such as a Content Delivery Network (CDN) or other co-hosting service providers) interprets it differently, the result may be an exploitable semantic inconsistency. These can enable cache poisoning and filter bypass, which we frame as “Host of Troubles". What is multiple host ambiguity? An ambiguity caused by different ways in which a host is defined for a HTTP Request.

Different ways in which ambiguity occur: Multiple Host Header : several host headers used for a single request Space surrounded Host Header : spaces in front or back of the host header value Absolute-URI as request target : Both absolute-URI and host headers are used Upstream – Downstream combinations : Different interpretations at each level of intermediates.

RFC 2616 and RFC 7230 RFC – Request for Comment (RFC) is a formal document from the Internet Engineering Task Force ( IETF ) that is the result of committee drafting and subsequent review by interested parties. RFC 2616 - Multiple header fields with the same field-name MAY be present if and only if the entire field-value for that header field is defined as a comma- separated list. This means that multiple header fields are not allowed. RFC 7230 - A sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list [i.e., #(values)] or the header field is a well- known exception (like cookies).

Adverse Effects of Host Ambiguity HTTP Cache Poisoning

How it happens? User A makes an ambiguous request and request passes through a transparent cache Value at Host header is taken as the “HOST” by the transparent cache Site B is mapped/stored as Site A in the transparent cache Victim makes a request to Site A Victim is served with Site B instead of Site A

Security Policy Bypass

Findings 33 Implementations were used for conducting several studies including 6 servers, 2 transparent caches, 3 forward proxies, 7 reverse proxies, 8 CDNs, and 7 firewalls. 25 out of 33 tested implementations do not follow RFC 2616 or RFC 7230 specifications to reject requests containing multiple Host headers. Space surrounded host header : 10 distinct behaviours among 33 implementations. Only 5 implementations comply with RFC 2616 and 2 comply with RFC 7230. 16 implementations appear to forward space surrounded Host headers to the upstream 128 out of 202 cases of host inconsistency are between firewalls (downstream) and other implementations (upstream). RFC 2616 states that a request with multiple same name headers is allowed only if the value of this header is defined as a single comma-separated list, which implies that a request with multiple Host headers is invalid. RFC 7230 explicitly species that requests with multiple . Host headers must be reject with 400 Bad Request.

Study conducted on transparent caches A Flash applet hosted in 2 different servers under 3 domains was used to study the number of IP address vulnerable to cache poisoning attacks and it was discovered 15677 were vulnerable out of 16168 IP address. India is the most prone country for such attacks followed by Philipines, China and New Zealand. reported these to CERT/CC and affected vendors, who are actively addressing them.

Criticism Suggestions Black box testing procedure and methodologies were not discussed. The online-checker working, functionality was not discussed. Suggestions A governing organisation can be introduced to address this issue, CDN and other intermediates should get approval / endorsement before they go live. Security applications should intervene ambiguous requests made from the source and block them. Even though the black box testing for analysis of parsing and interpreting crafted ambiguous request was explained in a detailed manner, the exact method and procedures used were not discussed such as the request used the services that were targeted

asdfasdfasdf