Host of Troubles: Multiple Host Ambiguities in HTTP Implementations

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2016-10-24 DOI:10.1145/2976749.2978394

Jianjun Chen, Jian Jiang, Haixin Duan, N. Weaver, Tao Wan, V. Paxson

{"title":"Host of Troubles: Multiple Host Ambiguities in HTTP Implementations","authors":"Jianjun Chen, Jian Jiang, Haixin Duan, N. Weaver, Tao Wan, V. Paxson","doi":"10.1145/2976749.2978394","DOIUrl":null,"url":null,"abstract":"The Host header is a security-critical component in an HTTP request, as it is used as the basis for enforcing security and caching policies. While the current specification is generally clear on how host-related protocol fields should be parsed and interpreted, we find that the implementations are problematic. We tested a variety of widely deployed HTTP implementations and discover a wide range of non-compliant and inconsistent host processing behaviours. The particular problem is that when facing a carefully crafted HTTP request with ambiguous host fields (e.g., with multiple Host headers), two different HTTP implementations often accept and understand it differently when operating on the same request in sequence. We show a number of techniques to induce inconsistent interpretations of host between HTTP implementations and how the inconsistency leads to severe attacks such as HTTP cache poisoning and security policy bypass. The prevalence of the problem highlights the potential negative impact of gaps between the specifications and implementations of Internet protocols.","PeriodicalId":432261,"journal":{"name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","volume":"403 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"28","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2976749.2978394","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 28

Abstract

The Host header is a security-critical component in an HTTP request, as it is used as the basis for enforcing security and caching policies. While the current specification is generally clear on how host-related protocol fields should be parsed and interpreted, we find that the implementations are problematic. We tested a variety of widely deployed HTTP implementations and discover a wide range of non-compliant and inconsistent host processing behaviours. The particular problem is that when facing a carefully crafted HTTP request with ambiguous host fields (e.g., with multiple Host headers), two different HTTP implementations often accept and understand it differently when operating on the same request in sequence. We show a number of techniques to induce inconsistent interpretations of host between HTTP implementations and how the inconsistency leads to severe attacks such as HTTP cache poisoning and security policy bypass. The prevalence of the problem highlights the potential negative impact of gaps between the specifications and implementations of Internet protocols.

查看原文本刊更多论文

问题主机:HTTP实现中的多主机歧义

Host头是HTTP请求中的安全关键组件，因为它被用作实施安全和缓存策略的基础。虽然目前的规范对如何解析和解释与主机相关的协议字段大致是清楚的，但我们发现实现是有问题的。我们测试了各种广泛部署的HTTP实现，并发现了大量不兼容和不一致的主机处理行为。特别的问题是，当面对一个带有模糊主机字段的精心制作的HTTP请求时(例如，有多个host标头)，两个不同的HTTP实现在按顺序操作同一个请求时，通常会以不同的方式接受和理解它。我们展示了许多技术来诱导HTTP实现之间对主机的不一致解释，以及这种不一致如何导致HTTP缓存中毒和安全策略绕过等严重攻击。这个问题的普遍存在突出了Internet协议的规范和实现之间的差距的潜在负面影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量