CN112906003A - Detection technology for HTTP smuggling vulnerability - Google Patents

Detection technology for HTTP smuggling vulnerability Download PDF

Info

Publication number
CN112906003A
CN112906003A CN202110329321.6A CN202110329321A CN112906003A CN 112906003 A CN112906003 A CN 112906003A CN 202110329321 A CN202110329321 A CN 202110329321A CN 112906003 A CN112906003 A CN 112906003A
Authority
CN
China
Prior art keywords
content
length
http
vulnerability
smuggling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110329321.6A
Other languages
Chinese (zh)
Inventor
高洋
贾宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Heilongjiang Chaonan Technology Co ltd
Original Assignee
Heilongjiang Chaonan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Heilongjiang Chaonan Technology Co ltd filed Critical Heilongjiang Chaonan Technology Co ltd
Priority to CN202110329321.6A priority Critical patent/CN112906003A/en
Publication of CN112906003A publication Critical patent/CN112906003A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a WEB vulnerability detection technology for HTTP smuggling vulnerability detection. The method mainly comprises the following steps: constructing an HTTP request message header with Transfer-Encoding and Content-Length fields, filling robots. The advantages of the invention include: the generation principle of the HTTP smuggling vulnerability is fully covered, and no report missing is detected; the discovered loopholes can be verified, and the detection result is not reported by mistake; the harmless vulnerability verification method provided by the patent ensures that no negative influence is caused on the tested target; the traditional manual detection mode is replaced by an automatic scheme, and the detection efficiency is improved.

Description

Detection technology for HTTP smuggling vulnerability
Technical Field
The patent relates to the field of WEB attack detection and the field of WEB server side vulnerability discovery, and the main core technology is to construct an nonstandard HTTP request message, discover possible HTTP smuggling vulnerabilities by using the difference of a WEB front end and a WEB back end to the processing mode of the HTTP request message, and verify whether the vulnerabilities exist through time delay and returned results.
Background
The HTTP smuggling vulnerability is mainly caused by the difference in HTTP request splitting mechanism between the WEB front end and the WEB back end, and the wide use of content delivery network (CND) technology and the strictness of the HTTP specification definition make this attack mode the most harmful attack in recent five years. The potential factors causing the vulnerability are many due to slight differences when various WEB front ends and back ends cut HTTP requests, and the current mainstream detection mode is mainly means detection and verifies the authenticity of the vulnerability in a data stealing mode. The essence of the detection mode is manual code audit, the existence of the vulnerability is discovered through analyzing source codes in the HTTP request processing process, and the detection mode is influenced by the technical capability of personnel and has the problems of low detection efficiency, high error rate and the like. Meanwhile, the verification mode of stealing data is essentially a network attack, and the existence of a vulnerability is proved by constructing a specific attack code to attack a target and stealing real data. The verification mode brings certain harmfulness to the detected target, risks of data leakage, website service interruption and the like exist, and detection requirements of large online websites, uninterruptable services, strict data confidentiality and the like under WEB scenes cannot be met. In recent years, a great amount of services are switched from off-line to on-line, higher requirements are put on WEB security, and the traditional detection means has obviously shown the thorny trend. Aiming at the current situation, an efficient detection means which is harmless to the detected target and does not influence the normal operation of the detected service is urgently needed.
Disclosure of Invention
The invention provides a detection technology for HTTP smuggling vulnerability, which is provided for harmless automatic detection of the HTTP smuggling vulnerability in a production environment, and the invention comprises the following steps: the HTTP smuggling vulnerability automatic discovery method is a harmless vulnerability verification technology based on response time and response content. The 'harmless' means that when the method provided by the patent is used for HTTP smuggling vulnerability detection, the tested target is not affected negatively. The invention aims to provide an automatic and harmless detection and verification scheme. The invention adopts the following technical scheme:
the essential reason for causing the HTTP smuggling vulnerability is caused by the inconsistency of Transfer-Encoding and Content-Length processing modes of the WEB front end and the WEB back end. The WEB front-end has the following common processing modes of Transfer-Encoding and Content-Length: the method comprises the following steps of setting bypass modes for each mode according to the definition of an HTTP request processing method and a block transmission method in an HTTP specification so as to discover the possible HTTP smuggling loopholes; verifying the discovered HTTP smuggling vulnerability by using a connection time limit and a return value in a TCP (Transmission control protocol), and ensuring the accuracy of a detection result; and finally, realizing the four automatic detection schemes by using a finite-state machine model.
The specific implementation mode of the technical scheme is as follows:
first, the way of processing HTTP requests by the WEB front end and the WEB back end is classified. The scheme is based on different combinations of Transfer-Encoding and Content-Length, and according to different modes used when the WEB front end and the WEB back end divide HTTP request data, the modes of processing HTTP requests by the WEB front end and the WEB back end are divided into four types. The scheme has the greatest advantage of catching the essential reasons of the HTTP smuggling vulnerability generation and detecting no false alarm.
In fact, the HTTP smuggling vulnerability is preliminarily discovered. The patent adopts a judgment method based on average return time, and the method has the greatest advantages of stable judgment conditions and contribution to automatic realization.
And finally, performing harmless detection on the HTTP smuggling vulnerability, and removing false alarm. This patent proposes a detection and verification scheme based on null data and a completed robots.txt request, which returns robots.txt data when a vulnerability is detected, or returns 404. The scheme has the greatest advantage that harmless verification is achieved by using the public data robots.
The work flow of this patent is as follows:
step one, sending a conventional HTTP request to a target to be detected once every 5 seconds for 10 times in total, and recording average return time;
secondly, four HTTP requests are respectively constructed, Transfer-Encoding and Content-Length fields are added, and the request body of each request is empty data with the chunk-size of 0 and a GET request of robots.txt;
thirdly, updating the header information of each HTTP request header, and updating the Content-Length size in the request header according to different processing modes of each request;
fourthly, sending the response result to the target to be detected, and recording the response result of which the average return time is longer than the average return time;
and fifthly, checking the content of the returned value of the response result, and if the state code 200 OK has robots.

Claims (5)

1. A detection technology for HTTP smuggling vulnerability is characterized by mainly comprising the following steps: the method comprises the following steps: constructing HTTP request messages in four modes of Transfer-Encoding/Transfer-Encoding, Transfer-Encoding/Content-Length, Content-Length/Content-Length and Content-Length/Transfer-Encoding; step two: calculating the Length of a HTTP request header Content-Length, and packaging the HTTP request; sending an HTTP request to a target to be detected, recording a response message with response time longer than average time, and checking whether the response result is the contents of the state codes 200 OK and robots.txt or the contents of the state codes 404 NOT FOUND and empty; step four: and (4) constructing a finite state automaton to realize automatic detection.
2. The technique as claimed in claim 1, wherein when the HTTP request message is constructed in step 1, the message content starts with a character 0 and is followed by a robots.
3. According to the detection technology for the HTTP smuggling vulnerability as claimed in claim 1, when calculating the HTTP request header Content-Length value in step 2, the calculation method uses the real byte number as the HTTP request header Content-Length value when using the Content-Length partition according to the Content-Length or Transfer-Encoding partition mode of the WEB front end of the detected target to the data; when using Transfer-Encoding segmentation, the chunk-size partial Length is used as the value of the HTTP request header Content-Length.
4. The technique for detecting HTTP smuggling vulnerabilities as claimed in claim 1, wherein the condition for verifying existence of a vulnerability includes: txt content is returned or the status is returned 404 if the response time of the response packet is greater than the average response time.
5. The detection technology for the HTTP smuggling vulnerability as claimed in claim 1, when the automatic detection is realized in step 4, different combinations of Content-Length and Transfer-Encoding and two groups of conditions for detecting the existence of the vulnerability are selected, and the detection process is decomposed into eight states.
CN202110329321.6A 2021-03-28 2021-03-28 Detection technology for HTTP smuggling vulnerability Withdrawn CN112906003A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110329321.6A CN112906003A (en) 2021-03-28 2021-03-28 Detection technology for HTTP smuggling vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110329321.6A CN112906003A (en) 2021-03-28 2021-03-28 Detection technology for HTTP smuggling vulnerability

Publications (1)

Publication Number Publication Date
CN112906003A true CN112906003A (en) 2021-06-04

Family

ID=76109482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110329321.6A Withdrawn CN112906003A (en) 2021-03-28 2021-03-28 Detection technology for HTTP smuggling vulnerability

Country Status (1)

Country Link
CN (1) CN112906003A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN107426211A (en) * 2017-07-25 2017-12-01 北京长亭科技有限公司 Detection method and device, terminal device and the computer-readable storage medium of network attack
CN110602021A (en) * 2018-06-12 2019-12-20 蓝盾信息安全技术有限公司 Safety risk value evaluation method based on combination of HTTP request behavior and business process
CN111181924A (en) * 2019-12-11 2020-05-19 西安电子科技大学 Web application firewall method and system based on application gateway
US20200296126A1 (en) * 2019-03-13 2020-09-17 Sap Se Detecting web application vulnerabilities
CN112398843A (en) * 2020-11-09 2021-02-23 广州锦行网络科技有限公司 Detection method and device based on http smuggling attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN107426211A (en) * 2017-07-25 2017-12-01 北京长亭科技有限公司 Detection method and device, terminal device and the computer-readable storage medium of network attack
CN110602021A (en) * 2018-06-12 2019-12-20 蓝盾信息安全技术有限公司 Safety risk value evaluation method based on combination of HTTP request behavior and business process
US20200296126A1 (en) * 2019-03-13 2020-09-17 Sap Se Detecting web application vulnerabilities
CN111181924A (en) * 2019-12-11 2020-05-19 西安电子科技大学 Web application firewall method and system based on application gateway
CN112398843A (en) * 2020-11-09 2021-02-23 广州锦行网络科技有限公司 Detection method and device based on http smuggling attack

Similar Documents

Publication Publication Date Title
Li et al. Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation
CN100556031C (en) Intelligent integrated network security device
CN101213812B (en) Method for defending against denial of service attacks in IP networks by target victim self-identification and device
US20090182867A1 (en) Method and apparatus for identifying a packet
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
CN108282497A (en) For the ddos attack detection method of SDN control planes
EP1678567A1 (en) Method and system for intrusion prevention and deflection,
CN106506242A (en) A kind of Network anomalous behaviors and the accurate positioning method and system of flow monitoring
CN110266650A (en) The recognition methods of Conpot industry control honey jar
KR20150037285A (en) Apparatus and method for intrusion detection
US11838319B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
EP3568784B1 (en) Method and system for detecting and mitigating a denial of service attack
AU2018280156C1 (en) Dynamic TCP stream processing with modification notification
CN110213254A (en) A kind of method and apparatus that Internet protocol IP packet is forged in identification
CN110417747A (en) A kind of detection method and device of Brute Force behavior
CN101902461B (en) Method and device for filtering data stream contents
CN111669371A (en) Network attack restoration system and method suitable for power network
CN1326365C (en) Worm blocking system and method using hardware-based pattern matching
RU2307392C1 (en) Method (variants) for protecting computer networks
CN115664833B (en) Network hijacking detection method based on local area network safety equipment
CN112906003A (en) Detection technology for HTTP smuggling vulnerability
CN116366512A (en) Test case generation method and device and computer readable storage medium
KR20200122054A (en) Harmful ip determining method
Barbhuiya et al. An active DES based IDS for ARP spoofing
CN113259387B (en) Method for preventing honeypot from being controlled to jump board machine based on virtual exchange

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210604

WW01 Invention patent application withdrawn after publication