- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Fri, 24 Jul 2009 19:10:32 +0200
- To: Jamie Lokier <jamie@shareable.org>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
fre 2009-07-24 klockan 16:35 +0100 skrev Jamie Lokier: > Can you describe these problems? I've not heard of any problem with > chunked response encoding, and it's very widely deployed. Basically it makes the response splitting attack much easier, removing any need of guessing response sizes and also completely defeats any Content-Length the server manages to add before of the injected header payload unless the receiver ignores specifications and verifies Content-Length instead of ignoring it. But as I said the damage is primarily isolated to the requested site, and additionally the server of that site needs to be broken to exploit it. But me sitting on the proxy chair have a little harder time as I also need to deal with certain "forgiving" proxies who sends shit back on me when the server response is shit.. (not properly verifying message boundaries wben there is excess data after the chunked encoding, or mistakenly uses Content-Length for delimiting even when there is chunked encoding), and in that situation the attack vector becomes serious. Regards Henrik
Received on Friday, 24 July 2009 17:11:12 UTC