W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: (issue 30) - concrete security-related examples

From: Amit Klein <aksecurity@gmail.com>
Date: Tue, 21 Jul 2009 13:11:20 +0300
Message-ID: <26162adb0907210311l28de72b6oc7aaf85c3ca84e64@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Mark et al.

Please see my comment inline.


On Tue, Jul 21, 2009 at 4:37 AM, Mark Nottingham<mnot@mnot.net> wrote:
> Hi Amit,
> Just making sure we've closed the loop here:
> On 12/09/2008, at 6:05 AM, Amit Klein wrote:
>> LWS should not be allowed between the field name and the colon. See the
>> section 'The “Double CR in an HTTP header” technique (and the “header SP”
>> technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
> p1 4.2:
> No whitespace is allowed between the header field-name and colon. For
> security reasons, any request message received containing such whitespace
> MUST be rejected with a response code of 400 (Bad Request) and any such
> whitespace in a response message MUST be removed.


>> Lone CR should not be allowed. See the section 'The “Double CR in an HTTP
>> header” technique (and the “header SP” technique)' in
>> http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (NOTE: we dubbed
>> it "double CR" because it is part of a sequence CR+CR+LF).
> CRLF is specified, and the p1 A (Tolerant Applications) notes:
> The line terminator for message-header fields is the sequence CRLF. However,
> we recommend that applications, when parsing such headers, recognize a
> single LF as a line terminator and ignore the leading CR.


>> Invalid chars in field name: e.g. use of underscore for attack is
>> discussed in
>> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
> Underscores are allowed in HTTP header field-names.

In such case, wouldn't there be collisions, e.g. User-Agent and
User_Agent both will map into the CGI env variable HTTP_USER_AGENT.
Received on Tuesday, 21 July 2009 10:12:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:50 UTC