Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host of Troubles : Multiple Host Ambiguities in HTTP Implementations

Published byEdith Welch Modified over 6 years ago

Similar presentations

Presentation on theme: "Host of Troubles : Multiple Host Ambiguities in HTTP Implementations"— Presentation transcript:

1 Host of Troubles : Multiple Host Ambiguities in HTTP Implementations
By Revanth Mohan

2 Perhaps the most permissive widely deployed protocol is
HTTP. Although the request format is tightly specified [6], many implementations are quite broad in what they actually accept. Some variations appear harmless in a single product, but inconsistent interpretation between different parties can have drastic consequences. Attackers can exploit this permissiveness when two different devices interpret the same liberal response differently. The problem arises when an attacker can generate a direct HTTP request (such as by using Flash on a victim's web browser) where the request contains multiple, ambiguous mechanisms to define the target host, such as multiple Host headers or a Host header combined with an absolute URI in the request-line.

3 HTTP Protocol Client – Server Protocol
Main Purpose : Used for locating resources by recipient Consists of : Request Line Request Header Optional Message Body Request Header consists of a header know as the “Host Header” which defines the Host. It is used for routing in an environment where multiple domains are mapped to the same IP Address. Host can also be represented in the absolute-URI. HTTP supports intermediates

4 Host Definition : A host is a computer that is connected to a network. The term usually refers to a computer that is connected to a TCP/IP network, including the Internet. Each host on such a network has a unique IP address. Different ways to define host in a request Host Header Request URI

5 Intermediates Forward Proxy (Downstream *)
Interception Proxy / Transparent Cache Reverse Proxy (Upstream *) Content Delivery Networks Firewalls Downstream means intermediates closer to the origin of the request Upstream – Intermediates closer to the recipient

6 Problem – Multiple Host Ambiguities
If one in-path device (such as acache proxy or firewall) interprets the request one way but the final destination (such as a Content Delivery Network (CDN) or other co-hosting service providers) interprets it differently, the result may be an exploitable semantic inconsistency. These can enable cache poisoning and filter bypass, which we frame as “Host of Troubles". What is multiple host ambiguity? An ambiguity caused by different ways in which a host is defined for a HTTP Request.

7 Different ways in which ambiguity occur:
Multiple Host Header : several host headers used for a single request Space surrounded Host Header : spaces in front or back of the host header value Absolute-URI as request target : Both absolute-URI and host headers are used Upstream – Downstream combinations : Different interpretations at each level of intermediates.

8 RFC 2616 and RFC 7230 RFC – Request for Comment (RFC) is a formal document from the Internet Engineering Task Force ( IETF ) that is the result of committee drafting and subsequent review by interested parties. RFC Multiple header fields with the same field-name MAY be present if and only if the entire field-value for that header field is defined as a comma- separated list. This means that multiple header fields are not allowed. RFC A sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list [i.e., #(values)] or the header field is a well- known exception (like cookies).

9 Adverse Effects of Host Ambiguity
HTTP Cache Poisoning

10

11 How it happens? User A makes an ambiguous request and request passes through a transparent cache Value at Host header is taken as the “HOST” by the transparent cache Site B is mapped/stored as Site A in the transparent cache Victim makes a request to Site A Victim is served with Site B instead of Site A

12 Security Policy Bypass

13 Findings 33 Implementations were used for conducting several studies including 6 servers, 2 transparent caches, 3 forward proxies, 7 reverse proxies, 8 CDNs, and 7 firewalls. 25 out of 33 tested implementations do not follow RFC 2616 or RFC 7230 specifications to reject requests containing multiple Host headers. Space surrounded host header : 10 distinct behaviours among 33 implementations. Only 5 implementations comply with RFC 2616 and 2 comply with RFC implementations appear to forward space surrounded Host headers to the upstream 128 out of 202 cases of host inconsistency are between firewalls (downstream) and other implementations (upstream). RFC 2616 states that a request with multiple same name headers is allowed only if the value of this header is defined as a single comma-separated list, which implies that a request with multiple Host headers is invalid. RFC 7230 explicitly species that requests with multiple . Host headers must be reject with 400 Bad Request.

14 Study conducted on transparent caches
A Flash applet hosted in 2 different servers under 3 domains was used to study the number of IP address vulnerable to cache poisoning attacks and it was discovered were vulnerable out of IP address. India is the most prone country for such attacks followed by Philipines, China and New Zealand. reported these to CERT/CC and affected vendors, who are actively addressing them.

15 Criticism Suggestions
Black box testing procedure and methodologies were not discussed. The online-checker working, functionality was not discussed. Suggestions A governing organisation can be introduced to address this issue, CDN and other intermediates should get approval / endorsement before they go live. Security applications should intervene ambiguous requests made from the source and block them. Even though the black box testing for analysis of parsing and interpreting crafted ambiguous request was explained in a detailed manner, the exact method and procedures used were not discussed such as the request used the services that were targeted

16 asdfasdfasdf

Download ppt "Host of Troubles : Multiple Host Ambiguities in HTTP Implementations"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
Examining IP Header Fields

Examining IP Header Fields
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Internet Basics.

Internet Basics.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
2013Dr. Ali Rodan 1 Handout 1 Fundamentals of the Internet.

2013Dr. Ali Rodan 1 Handout 1 Fundamentals of the Internet.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security

Chapter 13 – Network Security
1.1 What is the Internet What is the Internet? The Internet is a shared media (coaxial cable, copper wire, fiber optics, and radio spectrum) communication.

1.1 What is the Internet What is the Internet? The Internet is a shared media (coaxial cable, copper wire, fiber optics, and radio spectrum) communication.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
1 Figure 3-2: TCP/IP Standards (Study Figure) Origins  Defense Advanced Research Projects Agency (DARPA) created the ARPANET  An internet connects multiple.

1 Figure 3-2: TCP/IP Standards (Study Figure) Origins  Defense Advanced Research Projects Agency (DARPA) created the ARPANET  An internet connects multiple.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
The Intranet.

The Intranet.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim.

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
SIP working group IETF#70 Essential corrections Keith Drage.

SIP working group IETF#70 Essential corrections Keith Drage.

Similar presentations

Ads by Google