Circumventing Security Systems With Dubious HTTP Responses

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Circumventing Security Systems With Dubious HTTP Responses

Brian Smith-31
"Circumventing Security Systems With Dubious HTTP Responses":
http://noxxi.de/research/dubious-http.html

Does anybody see any action items here?
_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|

Re: Circumventing Security Systems With Dubious HTTP Responses

Stefan Arentz-5

On Jun 13, 2013, at 12:46 AM, Brian Smith <[hidden email]> wrote:

> "Circumventing Security Systems With Dubious HTTP Responses":
> http://noxxi.de/research/dubious-http.html
>
> Does anybody see any action items here?

The "Multipart MIME Responses” bit is really interesting. So if I understand correctly:

1) a server under control of an attacker can send a multipart response with multiple HTML parts
2) we ignore all parts except the *last* one (which is probably the right thing to do)
3) malware detection proxies/filters might ignore all parts except the *first* one

(There is no mention of specific software that does #3 so that part is a bit vague but I could see how an attacker could abuse that.)

I don’t know if this is a common technique that is used in the wild. If it is then we might want to consider changing our logic for multipart and render the *first* part received. That would close this loophole.

Not sure if that would break any existing legit apps that might depend on the current multipart behaviour though.

 S.

_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|

Re: Circumventing Security Systems With Dubious HTTP Responses

Trevor Jim-2
Stefan Arentz <[hidden email]> writes:

> I don’t know if this is a common technique that is used in the wild.

This is a particular example of a technique that is used in the wild.

It is a consequence of Postel's Law.  I call it a "Postel Bug".

Software that accepts "out-of-spec" inputs in order to interoperate
necessarily does so on an ad hoc basis.  So, two different
implementations can treat malformed inputs differently.  This is exactly
what is happening with the malware detection software and your software.

I've written up some other examples here:

    http://trevorjim.com/postels-law-and-network-security/
    http://trevorjim.com/postels-law-and-security-again/
    http://trevorjim.com/postels-law-is-not-for-you/

-Trevor
_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network