W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2007

(Re: issue #93) Duplicated headers and security vulnerabilities

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 05 Dec 2007 03:28:35 +0900
To: ietf-http-wg <ietf-http-wg@w3.org>
Message-ID: <87k5nu8gbw.fsf@bluewind.rcis.aist.go.jp>

Dear members,

This is a security problem related to issue #93 and my previous mail
([NEW ISSUE] Content-Length and Transfer-Encoding: security implications).

Many servers and proxies accept messages containing two Content-Length: 
headers in different manners: some interpret the first header, and some 
do the latter.  This has caused "request/response smuggling attacks", 
when any pair of the server, the proxy, and the clients involved are 
interpreting those differently.  The outcome of the attack is severe: it 
allows cross-site content injection.  To fix this, I recommend to add the 
following note to the specification.

> Messages MUST NOT include any hop-to-hop header twice.  When the server 
> received such a request, it MUST respond with 400 (Bad Request) and 
> close the connection.  When the client received such a response, it MUST
> discard the response and close the connection.  The client MUST NOT
> accept any responses which follow such an invalid response in a
> keep-alive connection.

The requirement words may be "SHOULD" and "SHOULD NOT", and the restricted
headers can be limited to Connection, Transfer-Encoding, and Content-length.

Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 995D D3E1]
Received on Tuesday, 4 December 2007 18:28:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:44 UTC