Host of Troubles: Multiple Host Ambiguities in HTTP Implementations

Title Host of Troubles: Multiple Host Ambiguities in HTTP Implementations
Publication TypeConference Paper
Year of Publication2016
AuthorsChen, J., Weaver N., Jiang J., Wan T., Duan H., & Paxson V.
Published inProceedings of ACM CCS
Date Published10/2016

The Host header is a security-critical component in an HTTP request, as it is used as the basis for enforcing security and caching policies. While the current speci cation is generally clear on how host-related protocol elds should be parsed and interpreted, we nd that the implementations are problematic. We tested a variety of widely deployed HTTP implementations and discover a wide range of non-compliant and inconsistent host processing behaviours. The particular problem is that when facing a carefully crafted HTTP request with ambiguous host elds (e.g., with multiple Host headers), two di erent HTTP implementations often accept and understand it di erently when operating on the same request in sequence. We show a number of techniques to induce inconsistent interpretations of host between HTTP implementations and how the inconsistency leads to severe attacks such as HTTP cache poisoning and security policy bypass. The prevalence of the problem highlights the potential negative impact of gaps between the specifications and implementations of Internet protocols.

ICSI Research Group

Networking and Security