- From: James M Snell <jasnell@gmail.com>
- Date: Tue, 31 Jul 2012 14:56:01 -0700
- To: Willy Tarreau <w@1wt.eu>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CABP7RbeUeFo00+J7dknuqV0sgS=6Nh-BnUjuyRenAvg1wb+EEw@mail.gmail.com>
Definitely a fascinating read and I can certainly relate to many of the issues discussed. Reliable parsing within existing HTTP headers and the request URI can be a significant source of pain. Encoding issues and inconsistency between header definitions just makes matters that much worse. Unfortunately, despite the significant security concern that such issues represent (issues that I would argue are as significant, or in some cases more significant than the question of mandatory TLS support) it would be next to impossible to fix (or at least improve-upon) these various issues without making significant modifications to existing HTTP/1.1 semantics. I'd very much like to see such changes made within 2.0, but I'm afraid that I may be in the minority. - James On Tue, Jul 31, 2012 at 10:36 AM, Willy Tarreau <w@1wt.eu> wrote: > Hi, > > Ivan Ristic recently presented a wide collection of methods to bypass > web application firewalls using implementation differences in HTTP > stacks : > > > https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls > > While some of them have already been discussed to great extents, including > here, I think it's worth a read and reminds us that we really need to > address the ambiguities of request encoding if we want to make the web > safer. > > Regards, > Willy > > >
Received on Tuesday, 31 July 2012 21:56:50 UTC