W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: p1-message-07 S 7.1.4

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Fri, 24 Jul 2009 19:10:32 +0200
To: Jamie Lokier <jamie@shareable.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1248455432.3103.13.camel@localhost.localdomain>
fre 2009-07-24 klockan 16:35 +0100 skrev Jamie Lokier:

> Can you describe these problems?  I've not heard of any problem with
> chunked response encoding, and it's very widely deployed.

Basically it makes the response splitting attack much easier, removing
any need of guessing response sizes and also completely defeats any
Content-Length the server manages to add before of the injected header
payload unless the receiver ignores specifications and verifies
Content-Length instead of ignoring it.

But as I said the damage is primarily isolated to the requested site,
and additionally the server of that site needs to be broken to exploit
it.

But me sitting on the proxy chair have a little harder time as I also
need to deal with certain "forgiving" proxies who sends shit back on me
when the server response is shit.. (not properly verifying message
boundaries wben there is excess data after the chunked encoding, or
mistakenly uses Content-Length for delimiting even when there is chunked
encoding), and in that situation the attack vector becomes serious.

Regards
Henrik
Received on Friday, 24 July 2009 17:11:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT