W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: (issue 30) - concrete security-related examples

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 21 Jul 2009 11:37:38 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <717248FA-EE5E-4536-96FF-94ED4F1553DF@mnot.net>
To: Amit Klein <aksecurity@gmail.com>
Hi Amit,

Just making sure we've closed the loop here:


On 12/09/2008, at 6:05 AM, Amit Klein wrote:

>
> LWS should not be allowed between the field name and the colon. See  
> the section 'The “Double CR in an HTTP header” technique (and the  
> “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

p1 4.2:
No whitespace is allowed between the header field-name and colon. For  
security reasons, any request message received containing such  
whitespace MUST be rejected with a response code of 400 (Bad Request)  
and any such whitespace in a response message MUST be removed.

> Lone CR should not be allowed. See the section 'The “Double CR in an  
> HTTP header” technique (and the “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf 
>  (NOTE: we dubbed it "double CR" because it is part of a sequence CR 
> +CR+LF).

CRLF is specified, and the p1 A (Tolerant Applications) notes:
The line terminator for message-header fields is the sequence CRLF.  
However, we recommend that applications, when parsing such headers,  
recognize a single LF as a line terminator and ignore the leading CR.

> Invalid chars in field name: e.g. use of underscore for attack is  
> discussed in http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html

Underscores are allowed in HTTP header field-names.

Cheers,


--
Mark Nottingham     http://www.mnot.net/
Received on Tuesday, 21 July 2009 01:38:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT