kth.sePublikationer KTH
EnglishSvenskaNorsk
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Attacking Websites Using HTTP Request Smuggling: Empirical Testing of Servers and Proxies
KTH, Skolan för elektroteknik och datavetenskap (EECS), Datavetenskap, Nätverk och systemteknik. (Software Systems Architecture and Security)
KTH, Skolan för elektroteknik och datavetenskap (EECS), Datavetenskap, Nätverk och systemteknik. (Software Systems Architecture and Security)
KTH, Skolan för elektroteknik och datavetenskap (EECS), Datavetenskap, Nätverk och systemteknik. (Software Systems Architecture and Security)ORCID-id: 0000-0002-6762-3662
KTH, Skolan för elektroteknik och datavetenskap (EECS), Datavetenskap, Nätverk och systemteknik. (Software Systems Architecture and Security)ORCID-id: 0000-0003-3089-3885
2021 (Engelska)Ingår i: 2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC), Institute of Electrical and Electronics Engineers (IEEE) , 2021, s. 173-181Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Securing web servers and proxies is critical for enterprise networks. Such Internet-facing systems make up a significant portion of the remote attack surface and, thus, serve as prime targets. HTTP Request Smuggling (HRS) is a vulnerability that arises when web servers and proxies interpret the length of a single HTTP request differently. In this study, empirical testing was used to find parsing behaviors that could lead to HRS in six popular proxies and six servers. A literature study was conducted to compile a corpus containing requests adopting all known HRS techniques and different variations. A test harness was built to enable the automatic sending of requests and recording of responses. The responses were then manually analyzed to identify behaviors vulnerable to HRS. In total, 19 vulnerable behaviors were found, and by combining the proxies with the servers, two almost full and four full attacks could be performed. At least one behavior that went against the HTTP specification was found in every system tested. However, not all of these behaviors enabled HRS. In conclusion, most proxies had strict parsing and did not accept requests that could lead to HRS. The servers, however, were not so strict.
Ort, förlag, år, upplaga, sidor
Institute of Electrical and Electronics Engineers (IEEE) , 2021. s. 173-181
Nyckelord [en]
Cyber attack, HTTP Request smuggling, website, server, proxy
Nationell ämneskategori
Datavetenskap (datalogi)
Forskningsämne
Datalogi
Identifikatorer
URN: urn:nbn:se:kth:diva-305562DOI: 10.1109/EDOC52215.2021.00028ISI: 000748896900018Scopus ID: 2-s2.0-85123637074OAI: oai:DiVA.org:kth-305562DiVA, id: diva2:1616442
Konferens
International Conference on Enterprise Distributed Object Computing (EDOC), 25-29 Oct. 2021, Gold Coast, Australia
Anmärkning

QC 20220225

Tillgänglig från: 2021-12-02 Skapad: 2021-12-02 Senast uppdaterad: 2022-06-25Bibliografiskt granskad

Open Access i DiVA

Fulltext saknas i DiVA

Övriga länkar

Förlagets fulltextScopushttps://ieeexplore.ieee.org/document/9626191

Person

Grenfeldt, MattiasOlofsson, AstaEngström, ViktorLagerström, Robert

Sök vidare i DiVA

Av författaren/redaktören
Grenfeldt, MattiasOlofsson, AstaEngström, ViktorLagerström, Robert
Av organisationen
Nätverk och systemteknik
Datavetenskap (datalogi)

Sök vidare utanför DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetricpoäng

doi
urn-nbn
Totalt: 295 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Bibliotek
|
DiVA support
|
Registrera i DiVA
|
Spikning av avhandling
|
SwePub
|
Om öppen tillgång