Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

The HTTP Garden: Discovering Parsing Vulnerabilities in HTTP/1.1 Implementations by Differential Fuzzing of Request Streams (2405.17737v1)

Published 28 May 2024 in cs.CR and cs.NI

Abstract: HTTP/1.1 parsing discrepancies have been the basis for numerous classes of attacks against web servers. Previous techniques for discovering HTTP parsing discrepancies have focused on blackbox differential testing of HTTP gateway servers, despite evidence that the most significant parsing anomalies occur within origin servers. While these techniques can detect some vulnerabilities, not all parsing discrepancy-related vulnerabilities are detectable by examining a gateway server's output alone. Our system, the HTTP Garden, examines both origin servers' interpretations and gateway servers' transformations of HTTP requests. It also includes a coverage-guided differential fuzzer for HTTP/1.1 origin servers that is capable of mutating all components of a request stream, paired with an interactive REPL that facilitates the automatic discovery of meaningful HTTP parsing discrepancies and the rapid development of those discrepancies into attack payloads. Using our tool, we have discovered and reported over 100 HTTP parsing bugs in popular web servers, of which 68 have been fixed following our reports. We designate 39 of these to be exploitable. We release the HTTP Garden to the public on GitHub under a free software license to allow researchers to further explore new parser discrepancy-based attacks against HTTP/1.1 servers.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (31)
  1. SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-Box Differential Automata Learning. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 1690–1701, New York, NY, USA, 2016. Association for Computing Machinery.
  2. Examining HTTP/3 usage one year on. https://blog.cloudflare.com/http3-usage-one-year-on, 2023.
  3. JIT-Picking: Differential Fuzzing of JavaScript Engines. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS ’22, page 351–364, New York, NY, USA, 2022. Association for Computing Machinery.
  4. G. Brandl and S. Storchaka. Pep 515 - underscores in numeric literals. Technical report, PSF, 2016. https://peps.python.org/pep-0515/.
  5. Host of troubles: Multiple host ambiguities in http implementations. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016.
  6. RFC 9110: HTTP Semantics, 2022.
  7. Rfc2068: Hypertext transfer protocol–http/1.1, 1997.
  8. Attacking websites using http request smuggling: Empirical testing of servers and proxies. In 2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC), pages 173–181, 2021.
  9. DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs. In IEEE Symposium on Security and Privacy (SP), pages 1286–1303, 2021.
  10. FRAMESHIFTER: Security implications of HTTP/2-to-HTTP/1 conversion anomalies. In 31st USENIX Security Symposium (USENIX Security 22), pages 1061–1075, Boston, MA, August 2022. USENIX Association.
  11. T-reqs: Http request smuggling with differential fuzzing. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, page 1805–1820, New York, NY, USA, 2021. Association for Computing Machinery.
  12. Stephen T Kent. Securing the border gateway protocol: A status update. In IFIP International Conference on Communications and Multimedia Security, pages 40–53. Springer, 2003.
  13. James Kettle. Http desync attacks: Request smuggling reborn. Technical report, PortSwigger, 2019. https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
  14. Finding Unstable Code via Compiler-Driven Differential Testing. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, ASPLOS 2023, page 238–251, New York, NY, USA, 2023. Association for Computing Machinery.
  15. Http request smuggling. Technical report, Watchfire, 2005. https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf.
  16. William M McKeeman. Differential testing for software. Digital Technical Journal, 10(1):100–107, 1998.
  17. Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack. In 26th ACM Conference on Computer and Communications Security (CCS), 2019.
  18. Coverage-Directed Differential Testing of X.509 Certificate Validation in SSL/TLS Implementations. ACM Trans. Softw. Eng. Methodol., 32(1), feb 2023.
  19. JEST: N+1-Version Differential Testing of Both JavaScript Engines and Specification. In IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 13–24, 2021.
  20. Nezha: Efficient domain-independent differential testing. In 2017 IEEE Symposium on Security and Privacy (SP), pages 615–632, 2017.
  21. Jon Postel. RFC0793: Transmission control protocol, 1981.
  22. A patch for Postel’s robustness principle. IEEE Security & Privacy, 10(2):87–91, 2012.
  23. Hdiff: A semi-automatic framework for discovering semantic gap attack in http implementations. In 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1–13, 2022.
  24. R2Z2: Detecting Rendering Regressions in Web Browsers through Differential Fuzz Testing. In Proceedings of the 44th International Conference on Software Engineering, ICSE ’22, page 1818–1829, New York, NY, USA, 2022. Association for Computing Machinery.
  25. Go or No Go: Differential Fuzzing of Native and C Libraries. In Workshop on Offensive Technologies (WOOT), 2023.
  26. Differential Testing of Certificate Validation in SSL/TLS Implementations: An RFC-Guided Approach. ACM Trans. Softw. Eng. Methodol., 28(4), oct 2019.
  27. Is the web http/2 yet? In Passive and Active Measurement: 17th International Conference, PAM 2016, Heraklion, Greece, March 31-April 1, 2016. Proceedings 17, pages 218–232. Springer, 2016.
  28. Exploiting Dissent: Towards Fuzzing-Based Differential Black-Box Testing of TLS Implementations. IEEE Transactions on Dependable and Secure Computing, 17(2):278–291, 2020.
  29. QDiff: Differential Testing of Quantum Software Stacks. In 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 692–704, 2021.
  30. Finding Consensus Bugs in Ethereum via Multi-transaction Differential Fuzzing. In OSDI, pages 349–365, 2021.
  31. How http/2 pushes the web: An empirical study of http/2 server push. In 2017 IFIP Networking Conference (IFIP Networking) and Workshops, pages 1–9. IEEE, 2017.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets