Abstract
The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate systems—e.g. caches, message routers, and load balancers—on the way between a client and a web application server. The implementations of such intermediaries may interpret HTTP messages differently, which leads to a semantically different understanding of the same message. This so-called semantic gap can cause weaknesses in the entire HTTP message processing chain.
In this paper we introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines. The basic idea is to normalize and reduce an HTTP request header to the minimum required fields using a whitelist before processing it in an intermediary or on the server, and then restore the original request for the next hop. Our results show that HWL can avoid misinterpretations of HTTP messages in the different components and thus prevent many attacks rooted in a semantic gap including request smuggling, cache poisoning, and authentication bypass.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bijjou, K.: Web application firewall bypassing - how to defeat the blue team (2015). https://owasp.org/www-pdf-archive/OWASP_Stammtisch_Frankfurt_-_Web_Application_Firewall_Bypassing_-_how_to_defeat_the_blue_team_-_2015.10.29.pdf
BitK: I found another way to do HTTP smuggling. https://twitter.com/BitK_/status/1351587043814604805
Calzavara, S., Rabitti, A., Bugliesi, M.: Sub-session hijacking on the web: root causes and prevention. J. Comput. Secur. 27(2), 233–257 (2019)
Chen, J., Jiang, J., Duan, H., Weaver, N., Wan, T., Paxson, V.: Host of troubles: multiple host ambiguities in http implementations. In: 23th ACM SIGSAC Conference on Computer and Communications Security (CCS) (2016)
Clincy, V., Shahriar, H.: Web application firewall: network security models and configuration. In: IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC) (2018)
Consortium, W.A.S., et al.: Web application firewall evaluation criteria, version 1.0 (2006)
Davison, N.: Abusing http hop-by-hop request headers (2019). https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers
Dermann, M., et al.: Best practices: use of web application firewalls. Technical report, The Open Web Application Security Project (2008)
Desmet, L., Piessens, F., Joosen, W., Verbaeten, P.: Bridging the gap between web application firewalls and web applications. In: 4th ACM Workshop on Formal methods in Security (2006)
Dikaiakos, M.D.: Intermediary infrastructures for the World Wide Web. Comput. Netw. 45(4), 421–447 (2004)
Fielding, R., et al.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616, IETF (1999). https://tools.ietf.org/html/rfc2616
Fielding, R., Reschke, J.: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, IETF (2014). https://tools.ietf.org/html/rfc7230
Ganty, P., Köpf, B., Valero, P.: A language-theoretic view on network protocols. In: D’Souza, D., Narayan Kumar, K. (eds.) ATVA 2017. LNCS, vol. 10482, pp. 363–379. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68167-2_24
Gil, O.: WEB CACHE DECEPTION ATTACK. In: Blackhat USA (2017). https://blogs.akamai.com/2017/03/on-web-cache-deception-attacks.html
Guo, R., et al.: CDN judo: breaking the CDN DoS protection with itself. In: Network and Distributed System Security Symposium (NDSS) (2020)
Hacker, A.J.: Importance of Web Application Firewall Technology for Protecting Web-based Resources. ICSA Labs an Independent Verizon Business, p. 7 (2008)
Hubbard, S., Sager, J.: Firewalling the net. BT Technol. J. 15(2), 94–106 (1997)
IANA functions: Message headers (2020). https://www.iana.org/assignments/message-headers/message-headers.xhtml
Imperva: Transparent reverse proxy (2020). https://docs.imperva.com/bundle/v14.1-administration-guide/page/7200.htm
Jeremy, D., Hils, A., Kaur, R., Watts, J.: Critical capabilities for cloud web application firewall services (2020). https://www.gartner.com/doc/reprints?id=1-1XO56V9N&ct=191022
Keromytis, A.D., Wright, J.L.: Transparent network security policy enforcement. In: USENIX Annual Technical Conference, FREENIX Track, pp. 215–226 (2000)
Kettle, J.: Http desync attacks: Request smuggling reborn (2019). https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
Klein, A.: Divide and conquer - http response splitting, web cache poisoning attacks, and related topics (2004). https://dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf
Klein, A.: Http request smuggling in 2020 - new variants, new defenses and new challenges (2020). https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges-wp.pdf
Kogi, E., Kerman, D.: HTTP desync attacks in the wild and how to defend against them (2019). https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/
Levine, J.R.: DNS Blacklists and Whitelists. RFC 5782 (2010). https://doi.org/10.17487/RFC5782. https://rfc-editor.org/rfc/rfc5782.txt
Linhart, C., Klein, A., Heled, R., Steve, O.: Http request smuggling (2005). https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
Lo, J.: Whitelisting for Cyber Security: What It Means for Consumers. Public Interest Advocacy Centre (2011)
Ltd., P.: Access control vulnerabilities and privilege escalation (2020). https://portswigger.net/web-security/access-control
Mirheidari, S.A., Arshad, S., Onarlioglu, K., Crispo, B., Kirda, E., Robertson, W.: Cached and confused: web cache deception in the wild. In: 29th USENIX Security Symposium (USENIX Security) (2020)
Nguyen, H.V., Lo Iacono, L., Federrath, H.: Your cache has fallen: cache-poisoned denial-of-service attack. In: 26th ACM Conference on Computer and Communications Security (CCS) (2019)
OWASP Foundation: OWASP top ten web application security risks (2020). https://owasp.org/www-project-top-ten/
Pałka, D., Zachara, M.: Learning web application firewall - benefits and caveats. In: Tjoa, A.M., Quirchmayr, G., You, I., Xu, L. (eds.) CD-ARES 2011. LNCS, vol. 6908, pp. 295–308. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23300-5_23
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Shahzad, A., Hussain, M., Khan, M.N.A.: Protecting from zero-day malware attacks. Middle East J. Sci. Res. 17(4), 455–464 (2013)
Torrano-Gimenez, C., Perez-Villegas, A., Alvarez, G.: A Self-learning anomaly-based web application firewall. In: Herrero, A., Gastaldo, P., Zunino, R., Corchado, E. Computational Intelligence in Security for Information Systems, pp. 85–92. Advances in Intelligent and Soft Computing, Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04091-7_11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Büttner, A., Nguyen, H.V., Gruschka, N., Lo Iacono, L. (2021). Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)
