W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP/2: Another reason to find a safer encoding

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Tue, 31 Jul 2012 19:24:12 -0500
Message-ID: <CACuKZqH4k0BboL+397gHQYoUG7+E2Lvz371CB58df-RED2Kniw@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: ietf-http-wg@w3.org
On Tue, Jul 31, 2012 at 12:36 PM, Willy Tarreau <w@1wt.eu> wrote:
> Hi,
>
> Ivan Ristic recently presented a wide collection of methods to bypass
> web application firewalls using implementation differences in HTTP
> stacks :
>
>    https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls
>
> While some of them have already been discussed to great extents, including
> here, I think it's worth a read and reminds us that we really need to
> address the ambiguities of request encoding if we want to make the web
> safer.

What do you have in mind?

The problem is that implementations tend to be liberal in accepting
inputs. That is mostly due to laziness - being strict is harder. As
long as an input can be mapped to an acceptable value, no harm is done
to the internal state, therefore there's no incentive for
implementations to reject illegal inputs. This is the reality, no
matter how sternly the spec emphasizes the MUST NOTs.

Zhong Yu
Received on Wednesday, 1 August 2012 00:24:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 August 2012 00:24:46 GMT