New differential fuzzing tool reveals novel HTTP request smuggling techniques – The Daily Swig

White paper systematically examines the attack while showcasing a ‘laundry list’ of new flaws

A new tool discovers novel HTTP request smuggling techniques

Researchers have released a new fuzzing tool used for finding novel HTTP request smuggling techniques.

The tool , dubbed ‘T-Reqs’, was built by a team from Northeastern University, Boston, and Akamai.

In a white paper (PDF) the researchers discuss how they discovered a wealth of new vulnerabilities using the fuzzing tool, which they said can be used by bug bounty hunters and researchers alike.

HTTP history

HTTP request smuggling , which first emerged in 2005, interferes with how websites process sequences of HTTP requests received from users.

Load balancers (aka reverse proxies) typically forward multiple HTTP requests, consecutively, to back-end servers over the same network connection.

If there is a discrepancy between the front- and back-end servers, it can allow attackers to smuggle hidden requests through the proxy.

This could have far-reaching consequences and cause scenarios such as account hijacking and cache poisoning.

Previous research into the exploit targeted the and headers.

READ MORE Black Hat 2020: New HTTP request smuggling variants levied against modern web servers

This new research instead focusses on HTTP request smuggling (HRS) as a system interaction problem involving at least two HTTP processors on the traffic path.

The paper reads: “These processors may not necessarily be individually buggy; but when used together, they disagree on the parsing or semantics of a given HTTP request, which leads to a vulnerability.

“This key aspect of HRS has not been explored in previous work. Next, previous attacks focus on malicious manipulation of the two aforementioned HTTP headers.

“Whether the remaining HTTP headers, or the rest of an HTTP request, could be tampered with to induce similar processing discrepancies remains uncharted territory. ”

Tool for success

T-Reqs, which is shorthand for ‘two requests’, is a grammar-based HTTP fuzzer that generates HTTP requests and applies mutations to them to trigger potential server processing quirks.

It exercises two target servers with the same mutated request, and compares the responses to identify discrepancies that lead to smuggling attacks.

BACKGROUND HTTP request smuggling: HTTP/2 opens a new attack tunnel

Speaking to The Daily Swig , Akamai’s Kaan Onarlioglu said: “T-Reqs is a fuzzer that exercises server pairs in an experimental setup.

“It is a tool that discovers novel smuggling vulnerabilities. This is particularly useful for server developers, and in fact several vendors mentioned in our paper are now using it for their internal testing.

“T-Reqs is not designed to test live web applications; it is not a penetration testing tool that repeats previously known smuggling payloads. Burp Suite’s HTTP Request Smuggler   extension is a far better fit for that.

“We envision that the community will enhance and use T-Reqs to find new vulnerabilities, and then integrate these payloads with their testing tools and processes. ”

Read more of the latest security research news

Onarlioglu said that they chose to explore the topic because the HTTP specification is extremely complex, therefore the team figured there was a “plethora of server technologies out there with their quirks”, and “there must be unfathomed opportunities to smuggle requests”.

The researcher said: “Our research tested this hypothesis. We systematically explored all parts of an HTTP request together with the pairwise combinations of 10 popular proxy/server technologies. We found a laundry list of brand new vulnerabilities! ”

The white paper contains additional information on the vulnerabilities in addition to more technical details.

System centric

Onarlioglu told The Daily Swig : “The fascinating thing about request smuggling is that it is a system problem. Even though we could come up with a magic development process and start cranking out flawless servers, they would still fail spectacularly in the face of request smuggling.

“Secure components do not necessarily make a secure system; security is an emergent property of the device as a whole.

“Researchers did not traditionally view security from this lens, but that is changing with recently popularized attacks like smuggling, cache poisoning, and cache deception.

“My team strongly believes that a systems-centric view is key to thwarting the following generation of web attacks, and therefore we are actively studying this domain. ”

RECOMMENDED Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks

Source of this news: https://portswigger.net/daily-swig/new-differential-fuzzing-tool-reveals-novel-http-request-smuggling-techniques

Related posts:

How To Watch Geo-Restricted Content Anywhere? - Qrius
Preventing someone from accessing a particular website based on their geographic location is called geo-blocking. VoD services often block users from accessing their content based on their geographic...
Follón and Expo 2020 Kuwait mark over 1, 200 days collaboration - ZAWYA
Over the last four years, additional than 1, 500 business days, Cisco ’s strategic collaboration has helped Expo 2020 Dubai establish a secure, intelligent foundation for connectivity. The...
Not with a Bang but a Whisper: The Shift to Stealthy C2 - Threatpost
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In ad...
How to Use a VPN With School Wi-Fi - Alphr
Device LinksMost K-12 schools and colleges put limits on what students can access via Wi-Fi. In most cases, the reasoning behind this decision is sound: minors shouldn’t have access to possibly inapp...
Trial Orders UK ISP TalkTalk to Block More Piracy Web - ISPreview. co. england
Budget broadband ISP TalkTalk has this week revised their list of blocked world wide web (i. e. those explore they’ve been told to sign up by the UK High Court) to include a number of new on...
KTM Movies 2021: Free Movies and Web Series Downloading Platform - The Bulletin Time
Liana Liberato KTM Movies 2021: Free Movies and Web Series Downloading Platform There are lots of illegal piracy websites on the internet today. And it is almost impossible to block all the illegal p...
Succeeded Security Services Provider (MSSP) Ideas: 12 October 2021 attaining MSSP Alert
by Joe Panettieri • Oct 12, 2021 Both business day, MSSP Alert shows a quick lineup of news, studying and chatter from all over the managed security services provider ecosystem. The Content...
Zenscrape Web Scraping and Extraction API at Scale - XDA Developers
Web scraping on a large scale doesn’t have to be a complicated and frustrating task. Some of the more common hurdles that people have to jump through when scraping through data are IP bans and scalab...
Continue reading "What Are the Main Use Cases of Proxies?" - jim o brien
Have you ever tried accessing data on the internet only to realize that it is restricted to your location? In this case, a proxy server can be valuable. Other than unblocking content online, proxy se...
Maryland’s COVID positivity rate sinks new low as hot cases, hospitalizations continue to labor - Ba...
With relevant to 26, 000 people, Somerset also ranked last when it came to the share of its amount to receive a first vaccine portion, 32. 9%, the data shows and videos. Not far ahead is another ...
Web proxy Network Software Market Describe, Growth, Industry Trends as well as Forecast 2021-2027 | ...
A new proxy server is  any individual machine that translates internet site visitors between networks or standards. It’s an intermediary device separating end-user clients from a destination...
Ten step guide to sharing your iPhone's connection with NetShare - Apple Insider
A tiny company called Nullriver today released what is arguably one of the most useful iPhone applications to date: NetShare. With a tiny bit of configuring, the $10 software allows you to share your...
Rotating Proxies for Scraping - London Post
The truth is, most websites have a limit to the number of requests sent from the same IP address within a given time frame. Exceeding the rate limit will get your address blocked, and the connection...
How to Fix 'Microsoft Store Freezing' Issue on Windows 10 PC - BollyInside
This tutorial is about the How to Fix ‘Microsoft Store Freez­ing’ Issue on Win­dows 10 PC. We will try our best so that you understand this guide. I hope you like this blog How to Fix ‘Microsoft...
Selecting the most appropriate Proxy From Harlem Throughout Hollywood - Harlem Entire world Magazine
Your convenience in using a proxy depends not really much on choosing a good unblock proxy as such but on a class proxy provider. A trusted company renders the best servers for certain variety of...
Involving Announces General Availability of Fiddler Jam - EnterpriseTalk
Progress  (NASDAQ: PRGS), the leading provider of products to develop, deploy and have power over high-impact applications, today announced the overall availability of Progress® Telerik...
Spamhaus Botnet Threat Update: Q3-2021 - Spamhaus
Q3 has seen a massive 82% rise in the number of new botnet command and controllers (C&Cs) identified by our research team. They have observed an explosion in the use of backdoor malware with nefa...
To decide Best Migration Path totally from Exchange to Office 365? - Infosecurity Magazine
Due to present attacks and multiple ‘proxy’ (authentication bypass) vulnerabilities seen along on-premises Exchange servers, it is a headache for financial concerns to keep updating their machin...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30