Re: HTTP/2: Another reason to find a safer encoding from Phillip Hallam-Baker on 2012-07-31 (ietf-http-wg@w3.org from July to September 2012)

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Tue, 31 Jul 2012 15:08:35 -0700
To: James M Snell <jasnell@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, ietf-http-wg@w3.org
Message-ID: <CAMm+LwjJ6DqvC7MwMDP-kj73PkaLScvG0J=S7y9ZnoHdJG9zXQ@mail.gmail.com>

See http://xkcd.com/327/


In the Omnibroker spec I created a new type 'Label' as a subclass of
string that is designed to help avoid this type of issue.

A Label can contain any UNICODE character except for ASCII characters
other than 0-9, a-z, A-Z, -, _.

The reason for this particular choice is that it excludes all the
control characters used in pretty much every widely used scripting
language.

This does not provide a complete protection against injection attacks,
but the data types most commonly subject to injection attacks are
things like usernames, indexes, labels and such.




On Tue, Jul 31, 2012 at 2:56 PM, James M Snell <jasnell@gmail.com> wrote:
> Definitely a fascinating read and I can certainly relate to many of the
> issues discussed. Reliable parsing within existing HTTP headers and the
> request URI can be a significant source of pain. Encoding issues and
> inconsistency between header definitions just makes matters that much worse.
> Unfortunately, despite the significant security concern that such issues
> represent (issues that I would argue are as significant, or in some cases
> more significant than the question of mandatory TLS support) it would be
> next to impossible to fix (or at least improve-upon) these various issues
> without making significant modifications to existing HTTP/1.1 semantics. I'd
> very much like to see such changes made within 2.0, but I'm afraid that I
> may be in the minority.
>
> - James
>
> On Tue, Jul 31, 2012 at 10:36 AM, Willy Tarreau <w@1wt.eu> wrote:
>>
>> Hi,
>>
>> Ivan Ristic recently presented a wide collection of methods to bypass
>> web application firewalls using implementation differences in HTTP
>> stacks :
>>
>>
>> https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls
>>
>> While some of them have already been discussed to great extents, including
>> here, I think it's worth a read and reminds us that we really need to
>> address the ambiguities of request encoding if we want to make the web
>> safer.
>>
>> Regards,
>> Willy
>>
>>
>



-- 
Website: http://hallambaker.com/

Received on Tuesday, 31 July 2012 22:09:03 UTC