host ambiguities
play

Host Ambiguities Host of Troubles: Multiple Ho in HTTP - PowerPoint PPT Presentation

Jan 01, 2024 •388 likes •731 views

Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang, Haixin Duan, Nicholas Weaver, Tao Wan, Vern Paxson 1 Multiparty interactions in current Internet Website Transparent Firewall Forward Browser

  1. Host Ambiguities Host of Troubles: Multiple Ho in HTTP Implementations Jianjun Chen , Jian Jiang, Haixin Duan, Nicholas Weaver, Tao Wan, Vern Paxson 1

  2. Multiparty interactions in current Internet Website Transparent Firewall Forward Browser CDN Cache Proxy IDS Ambiguity between different parties could cause security problems. 2

  3. Previous works about ambiguity • HTTP request smuggling [Linhart 2005] • Exploiting ambiguity of Content-Length header • HTTP Evader [Ullrich 2013] • Exploits multiple ambiguities of HTTP response headers (Content-Encoding .etc) • Host header attacks [Kettle 2013] • Exploiting insufficient input validation of host-related variables in web applications • Leading to phishing, cross-site scripting. 3

  4. Our work • We present “Host of Troubles” attacks, that can cause severe security consequences, such as cache poisoning and filter bypass. • 3 types of techniques • We studied 33 popular HTTP implementations, and identified a large range of potential exploits. • We conducted a large scale measurement and found that around 97% of Internet users served by a transparent cache are subject to cache poisoning attacks. 4

  5. Outline • Overview of HTTP Host header • Three techniques leading to Host header ambiguity • Five attacks exploiting Host header ambiguity • Large scale measurement of transparent cache poisoning • Concluding remarks 5

  6. How HTTP requests are processed Text message GET / HTTP/1.1\r\nHost: a.com\r\nUser-Agent:Mozilla… Parse GET / HTTP/1.1 Protocol fields host a.com user-agent Mozilla … Interpret Semantic structure Further action 6

  7. Host – A critical HTTP field Ho Routing A.com Routing Caching B.com Forward Transparent Firewall IDS CDN Website Browser Proxy Cache Locating Caching Identification Ambiguity between different parties can cause disastrous consequences 7

  8. Outline • Overview of HTTP Host header • Three techniques leading to Host header ambiguity • Five attacks exploiting host header ambiguity • Large scale measure of transparent cache poisoning • Concluding remarks 8

  9. Technique 1: Multiple Host header GET / HTTP/1.1 GET / HTTP/1.1 Host: a.com Host: a.com Host: b.com Host: b.com Upstream Downstream Client Host: b.com Host: a.com HTTP standard (HTTP/1.1) • RFC 2616 (obsoleted), implicitly requires rejection. • RFC 7230 (latest), explicitly requires rejection. 9

  10. How do implementations handle requests with multiple Host header? Implementation Preference Implementation Preference Implementation Preference Apache Concatenate Akamai First Bitdefender First IIS Reject Alibaba First ESET Last Nginx First Azure Reject Huawei First Tomcat First CloudFlare First Kaspersky First ATS First CloudFront First OS X Concatenate Squid First Fastly Reject PAN First Varnish Reject Tencent Last Windows First Most implementations don’t follow RFC7230 • Some implementations are inconsistent with others • 10

  11. Technique 2: Space-surrounded Host Header GET / HTTP/1.1 GET / HTTP/1.1 Space Host: a.com ⊔ Host: a.com ⊔ Host: b.com Host: b.com Upstream Downstream Client (Treat space-preceded Host as Host) (Treat space-preceded as new header) Host: a.com Host: b.com HTTP standard Space-preceded Host Other space- Space b/w Host as first header preceded Host header and ‘:’ RFC 2616 Reject (implicit) Line folding Recognize (implicit) RFC 7230 Reject Reject Reject 11

  12. How implementations handle requests with space-surrounded Host Header? Space-preceded Other space- Space- Host as first preceded Host succeeded header header Host header Server Apache Not recognize Line folding Recognize IIS Recognize Line folding Recognize Nginx Not recognize Not recognize Not recognize Transparent ATS Not recognize Not recognize Not recognize Cache Squid Recognize Recognize Recognize CDN Akamai Recognize Recognize Recognize Alibaba Not recognize Not recognize Not recognize CloudFlare Not recognize Not recognize Not recognize Tencent Recognize Recognize Recognize Firewall Huawei Not recognize Not recognize Not recognize PAN Not recognize Not recognize Not recognize Most implementations don’t follow RFC7230 and vary in processing • space-surrounded Host headers 12

  13. Technique 3: Absolute-URI as request-target GET http://a.com/ HTTP/1.1 GET http://a.com/ HTTP/1.1 Host: b.com Host: b.com Upstream Downstream Client Host: b.com Host: a.com GET nohttp://a.com/ HTTP/1.1 GET nohttp://a.com/ HTTP/1.1 Host: b.com Host: b.com Upstream Downstream Client Host: b.com Host: a.com 13

  14. Technique 3: Absolute-URI as request-target HTTP standard Preference Schema RFC 2616 Absolute-URI Not specified RFC 7230 Absolute-URI Not specified HTTP implementations For preference between absolute uri and Host header • Except Akamai � other implementations follow RFC • 14

  15. How do different implementations handle absolute-URI? Implementation Implementation Implementation Schema Scheme Scheme Apache HTTP only Akamai HTTP/S Bitdefender any IIS HTTP/S Alibaba any ESET any Nginx any Azure HTTP/S Huawei any Tomcat HTTP/S CloudFlare any Kaspersky any ATS any CloudFront any OS X HTTP only Squid HTTP only Fastly HTTP only PAN HTTP/S Varnish HTTP only Tencent HTTP only Windows any The space of Host ambiguity increases once again! 15

  16. Outline • Overview of HTTP Host header • Three techniques leading to Host header ambiguity • Five attacks exploiting host header ambiguity • Large scale measure of transparent cache poisoning • Concluding remarks 16

  17. Attacks exploiting host ambiguity • Cache poisoning Attacks • Cache poisoning co-hosting website • Cache poisoning co-CDN website • Cache poisoning any HTTP website • Bypass security policy • Bypass firewall filtering policy • Bypass WAF 17

  18. Attack 1: Cache poisoning co- hosting website GET / HTTP/1.1 GET / HTTP/1.1 Host: victim.com Doesnt:matter Doesnt:matter Host: attack.com attack.com Host: attack.com Host: victim.com victim.com Squid Attacker Akamai Host: attack.com Host: victim.com Requirement: co-hosting of attack.com and victim.com Consequence: CDN cache poisoning 18

  19. Attack 2: Cache poisoning co-CDN website GET / HTTP/1.1 GET / HTTP/1.1 Doesnt:matter Doesnt:matter Host: attack.com Host: attack.com attack.com Host: victim.com Host: victim.com victim.com Apache Traffic Server Akamai Attacker (Transparent cache) Host: attack.com Host: victim.com Requirement: co-CDN of attack.com and victim.com Consequence: transparent cache poisoning 19

  20. Attack 3: Cache poisoning any HTTP website ( CVE-2016-4553 ) Victim Squid Attack.com Attacker User (Transparent cache) IP:1.1.1.1 TCP connect 1.1.1.1 1 GET http://victim.com HTTP/1.1 Host:attack.com 2 attack.com == 3 1.1.1.1? Yes! malware 4 cache as http:// GET / HTTP/1.1 5 victim.com Host: victim.com 6 malware 7 Requirement: no condition for victim website Consequence: transparent cache poisoning 20

  21. Attack 4: Firewall bypass GET / HTTP/1.1 GET / HTTP/1.1 Host: block.com Host: block.com block.com Host: allow.com Host: allow.com ESET Nginx Attacker (Firewall) Host: block.com Host: allow.com ESET firewall doesn’t allow client to visit block.com. 21

  22. Attack 5: WAF bypass GET any://WAFallow.com HTTP/1.1 GET / HTTP/1.1 WAFblock.com Host: WAFblock.com Host: WAFblock.com Attacker Nginx CloudFlare Host: WAFblock.com Host: WAFallow.com CloudFlare customer WAFblock.com uses CloudFlare’s Web Application Firewall(WAF) to block SQL injection attacks. 22

  23. How Prevalent are Upstream/Downstream vulnerabilities? 202 different combinations that could be exploited. 23

  24. Outline • Overview of HTTP Host header • Three techniques leading to Host header ambiguity • Attacks exploiting host header ambiguity • Large scale measurement of transparent cache poisoning • Concluding remarks 24

  25. Measurement set up • Online Flash advertisement • Testing environment set up Our servers Flash Ads Internet • 16 different test cases • 11 of them to detect co-hosting cache poisoning • 5 of them to detect general cache poisoning 25

  26. Execution of test cases • Utorrent PC advertising , 1.5M impressions, $110 • Hosted by a large website, 3/11/2016 to 3/31/2016 Geographical distribution of involved clients 26

  27. Measurement results • Utorrent ads • 16,168 IPs detected ISP caches • Among them, 15,677 (96.9%) IPs can be exploited • Website ads • 1,376 IPs detected ISP caches • Among them, 1,331 (96.7%) IPs can be exploited 97% of users served by transparent caches could have been poisoned. 27

  28. Responsible disclosure • Cache poisoning • Squid � Fixed, CVE-2016-4553, CVE-2016-4554 • Akamai � Fixed • Tencent � Fixed • Alibaba � Fixed • Apache Traffic Server � Confirmed • Filter bypass • Palo Alto Networks � add new option � Fixed • Huawei � add new option � Fxied • ESET � Fixed • CloudFlare � Fixed • Fastly � Fixing 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ambiguities: Latent and Patent Hal Moeller, Contract Administrator UMDNJ TPAC May 18,

Ambiguities: Latent and Patent Hal Moeller, Contract Administrator UMDNJ TPAC May 18,

Ambiguities: Latent and Patent Hal Moeller, Contract Administrator UMDNJ TPAC May 18, 2011 Ambiguities Discrepancies in specifications Omissions Significant conflicts within the specifications Ambiguities = Unexpected

150 views • 12 slides
Interview Review: an empirical study on detecting ambiguities in requirements elicitation

Interview Review: an empirical study on detecting ambiguities in requirements elicitation

Interview Review: an empirical study on detecting ambiguities in requirements elicitation interviews Paola Spoletini Kennesaw State University, USA Alessio Ferrari ISTI-CNR, Italy Muneera Bano SUT Melbourne, Australia Didar Zowghi UTS

1.02k views • 69 slides
Thinking about programming Understand the specification Ambiguities? Missing pieces?

Thinking about programming Understand the specification Ambiguities? Missing pieces?

Thinking about programming Understand the specification Ambiguities? Missing pieces? Finding classes focus on what, not how what are responsibilities? collaborations? Planning for change what classes can help make

185 views • 6 slides
Nektarios Georgios Tsoutsos HOST HOST DATA PROG data(23:0) we ready_int almost_full Host IF

Nektarios Georgios Tsoutsos HOST HOST DATA PROG data(23:0) we ready_int almost_full Host IF

Alex Glass Albert Jimenez Nektarios Georgios Tsoutsos HOST HOST DATA PROG data(23:0) we ready_int almost_full Host IF sof size_x size_y almost_full BUF_FIFO Pipeline Controller JFIF GEN receiver m u x RGB DCT ZIG Huffman

292 views • 14 slides
Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to Locators Oleg Ponomarev 24 March 2009 IETF74, San Francisco OUTLINE OUTLINE Current situation Storage conventions Usage HOST IDENTITY

225 views • 18 slides
The Gray Zones: Ambiguities in What do all these stories Hospital and Physician have in common?

The Gray Zones: Ambiguities in What do all these stories Hospital and Physician have in common?

The Gray Zones: Ambiguities in What do all these stories Hospital and Physician have in common? Relationships Neither the problem nor Can you wait? the solution is clear. Must you act now? Steps to determine problem, solution: Triage

199 views • 9 slides
Scope Ambiguities, Montague and Cooper Storage Kilian Evang May 21, 2008 Kilian Evang Scope

Scope Ambiguities, Montague and Cooper Storage Kilian Evang May 21, 2008 Kilian Evang Scope

Outline Introduction Montagues Solution Coopers Solution Summary Scope Ambiguities, Montague and Cooper Storage Kilian Evang May 21, 2008 Kilian Evang Scope Ambiguities, Montague and Cooper Storage Outline Introduction

625 views • 34 slides
Perturbative ambiguities in compactified spacetime and resurgence structure Okuto Morikawa (

Perturbative ambiguities in compactified spacetime and resurgence structure Okuto Morikawa (

Perturbative ambiguities in compactified spacetime and resurgence structure Okuto Morikawa ( ) Kyushu University 2020/9/24 Resurgence 2020 in YITP K. Ishikawa, O.M., K. Shibata and H. Suzuki, PTEP 2020 (2020) 063B02

649 views • 28 slides
1 Host (Rachel): Thank you everyone for joining us. My name is Rachel Mann and I am your host for

1 Host (Rachel): Thank you everyone for joining us. My name is Rachel Mann and I am your host for

1 Host (Rachel): Thank you everyone for joining us. My name is Rachel Mann and I am your host for todays presentation. Were here today to introduce you to the 2015 American Housing Survey. The Department of Housing and Urban Development

832 views • 40 slides
Transports and TCP Transports and TCP Adolfo Rodriguez CPS 214 Host- -to to- -Host vs. Host

Transports and TCP Transports and TCP Adolfo Rodriguez CPS 214 Host- -to to- -Host vs. Host

Transports and TCP Transports and TCP Adolfo Rodriguez CPS 214 Host- -to to- -Host vs. Host vs. Host Process- -to to- -Process Communication Process Communication Process Until now, we have focused on delivering packets between

564 views • 40 slides
C S E 4 6 1 S E C T I O N L O G I N uname: mininet pw: mininet Enable SSH so your host can

C S E 4 6 1 S E C T I O N L O G I N uname: mininet pw: mininet Enable SSH so your host can

C S E 4 6 1 S E C T I O N L O G I N uname: mininet pw: mininet Enable SSH so your host can login to your VM Easy to run multiple processes at once Bridge host Internet connection -> VM Allow host to connect to VM mininet@mininet-vm:~$

337 views • 14 slides
Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

466 views • 27 slides
Provider Backbone Transport Networking Host-to-host connections through SURFnet6 Drs. R. van der

Provider Backbone Transport Networking Host-to-host connections through SURFnet6 Drs. R. van der

Provider Backbone Transport Networking Host-to-host connections through SURFnet6 Drs. R. van der Pol ing. G.A. van Malenstein Research Project 2 A. Toonk, MSc ing. C. Steenbeek Contents Background Problem Description Research

1.1k views • 16 slides
1-4 January 2013 New Host Community Sites Old Camp/Host Community Sites Displaced since

1-4 January 2013 New Host Community Sites Old Camp/Host Community Sites Displaced since

Inter Agency KIRA Mission Briefing: Tana Delta Renewed Clashes 1-4 January 2013 New Host Community Sites Old Camp/Host Community Sites Displaced since Sept 33,167 (6650 HH aprox)** Displacement New Dec and Integration displacements

385 views • 13 slides
ATF 2013 Media Briefing 7th June 2012 ATF 2013 2 HOST COMMITEE Host of 32 nd ATF in 2013

ATF 2013 Media Briefing 7th June 2012 ATF 2013 2 HOST COMMITEE Host of 32 nd ATF in 2013

www.atflaos.com ATF 2013 Media Briefing 7th June 2012 ATF 2013 2 HOST COMMITEE Host of 32 nd ATF in 2013 Ministry of Information, Culture Previously hosted ATF in 2004 and Tourism (MICT), (Jan 30 to Feb 7) Lao PDR Appointed ATF

378 views • 14 slides
Transport Protocols End-to-End Protocols Convert host-to-host packet delivery service into a

Transport Protocols End-to-End Protocols Convert host-to-host packet delivery service into a

Transport Protocols End-to-End Protocols Convert host-to-host packet delivery service into a process-to-process communication channel Demultiplexing: Multiple applications can share the Kameswari Chebrolu network Dept. of Electrical

211 views • 7 slides
How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad

How Tracking Companies Circumvented Ad Blockers Using WebSockets Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson Northeastern University Online Tracking 2 Online Tracking Surge in online

1.11k views • 80 slides
Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Computer Science 161 Fall 2016 Nicholas Weaver Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver You really really really

944 views • 50 slides
ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch

ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch

ECE 550D Fundamentals of Computer Systems and Engineering Fall 2016 Pipelines Tyler Bletsch Duke University Slides are derived from work by Andrew Hilton (Duke) and Amir Roth (Penn) Clock Period and CPI Single-cycle datapath Low CPI:

965 views • 60 slides
Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher

Hacking Jenkins! Orange Tsai Orange Tsai Come from Taiwan Principal security researcher at DEVCORE Speaker at Black Hat US/ASIA , DEFCON , HITB , CODEBLUE CTF player (Captain of HITCON CTF team and member of 217 ) Bounty

1.32k views • 103 slides
NetGAN without GAN: From Random Walks to Low-Rank Approximations Luca Rendsburg, Holger Heidrich,

NetGAN without GAN: From Random Walks to Low-Rank Approximations Luca Rendsburg, Holger Heidrich,

NetGAN without GAN: From Random Walks to Low-Rank Approximations Luca Rendsburg, Holger Heidrich, Ulrike von Luxburg ICML 2020 1 3 Input 1 8 1 4 1 1 5 6 9 1 2 1 7 1 9 } 3 1 } NetGAN: Generating Graphs via Random Walks 1 8

2.88k views • 67 slides
Better Buildings Webinar Series Well be starting in just a few minutes. Tell us What

Better Buildings Webinar Series Well be starting in just a few minutes. Tell us What

Better Buildings Webinar Series Well be starting in just a few minutes. Tell us What topics are you interested in for future webinars? Please send your response to the webinar organizers via the question box. 1 Solutions for Small-

914 views • 47 slides
Computer Systems Research Daniel A. Jimnez Department of Computer Science & Engineering

Computer Systems Research Daniel A. Jimnez Department of Computer Science & Engineering

Machine Learning in Computer Systems Research Daniel A. Jimnez Department of Computer Science & Engineering Texas A&M University What Is This? Improving computer systems with machine learning Computer systems: Architecture /

594 views • 26 slides
rmalloc() and rpipe() a uGNI-based Distributed Remote Memory Allocator and Access Library for

rmalloc() and rpipe() a uGNI-based Distributed Remote Memory Allocator and Access Library for

rmalloc() and rpipe() a uGNI-based Distributed Remote Memory Allocator and Access Library for One-sided Messaging Udayanga Wickramasinghe Andrew Lumsdaine Indiana University Pacific Northwest Na<onal Laboratory Overview

892 views • 46 slides

More recommend