Whether we like it or not, HTTP is the de facto application transport protocol of the modern age. We use it everywhere. It’s as ubiquitous as IP and TCP, and serves much the same purpose. Its only goal is to transport the digital gold of today’s business: data.
Whether that data is JSON or XML or URL-encoded is irrelevant. It is HTTP that apps and devices use to communicate with servers and services in the cloud and on-premises in the data center.
Unlike IP and TCP, however, HTTP is a text-based protocol. It is highly flexible and can transport a variety of data – from binary to text. We use it to stream data, to retrieve data, and to collect data.
Attackers use it liberally because, as mentioned, it’s a text-based protocol with fairly lax rules regarding extensions of the headers that specify everything from what action the client expects the server to take (the HTTP ‘method’) to the resource being requested (the URI) to what kind of content can be accepted (the ‘Accept’ headers). These rules are lax to enable extensibility.
For example, the X-Forwarded-For header was introduced as a means to ensure developers were able to ‘see’ the original client IP address. In certain architectures – particularly those in which intermediaries act as full-proxies – this information can be lost. Some applications need that data, and thus developers (and networking vendors) extended the HTTP protocol by introducing a custom header. This is part of the HTTP specification; it allows for innovation and the introduction of new behavior and capabilities without requiring changes to the protocol. It’s a good thing.
Except when it isn’t.
It isn’t a good thing when this flexibility is not taken into account by developers of the servers supporting HTTP or by those responsible for securing applications that rely on HTTP.
Here’s a small sampling of CVEs related to HTTP that exploit a vulnerability in HTTP headers:
| CVE Entry | HTTP Header | Scary Name | Impact |
| CVE-2017-9798 | Method | “Optionsbleed” | Data leak |
| CVE-2011-3192 | Range | “Apache Killer” | DoS |
| CVE-2017-9805 | Content-type | Remote access / execution | |
| CVE-2017-9788 | [Proxy-]Authorization | Data leak / DoS | |
| CVE-2017-8219 | Cookie | DoS | |
| CVE-2017-7679 | Content-type | Data leak | |
| CVE-2017-6367 | Content-Length | DoS |
Honestly, a search through known CVEs for HTTP vulnerabilities returns an excessively long list (and includes a wide variety of vendors and software) that I am not going to duplicate here. A significant portion of those are generally triggered through the abuse of an HTTP header.
A note on Optionsbleed
Optionsbleed is one of the most recent vulnerabilities. I call it out because it exists in Apache HTTP itself. Given that Netcraft currently estimates Apache runs on “more than 2.8 million web-facing computers currently run various versions and derivatives of the Apache httpd, giving it a 42.8% share of all web-facing computers”, vulnerabilities in it become significant risk. Luckily, this particular vulnerability is triggered via an HTTP header but also requires the existence of a misconfigured Limits directive within the .htaccess file. This post from Sophos provides a great overview of the gory technical details if you’re so inclined. The TL;DR is that if the misconfiguration exists, an attacker can exploit a vulnerability in Apache through the HTTP method header and (so it seems) force the server to “bleed” out data belonging to, well, someone else.
Now, I said all that, so I could say this: app security is a stack. That stack includes the platforms (and thus protocols) upon which applications rely. Like HTTP.
We need to do a better job protecting HTTP from being abused to compromise security. Whether it’s a data leak or a DoS or remote access is not the point. They are all bad impacts. We need to do a better job of recognizing that HTTP is an increasingly popular attack surface. That it is text-based means that the entire interaction between a client and the HTTP service should be classified as user input.
That should, in turn, encourage a security strategy that includes sanitization of that input. Yes, that means protocol enforcement and scrubbing upstream (before it gets to a potentially vulnerable HTTP server).
That means a web application firewall or programmable proxy should live in front of any public-facing HTTP service and actively engage in scrubbing incoming HTTP requests.
The reason for this is based on the way that web platforms process HTTP headers, which is to say before the request is ever seen by a developer. Thus, we can’t necessarily point at developers and blame insecure coding practices for platform-level vulnerabilities.
Patching is the ultimate solution, of course. Provided you (1) hear about the vulnerability day zero, (2) a patch is made available day zero, and (3) you are comfortable deploying a potentially untested patch to production systems.
You need to patch, don’t get me wrong, but there is a gap between disclosure, discovery, availability, and application. In that gap lies risk; the risk that a very easy to exploit vulnerability will be used against you.
The penultimate solution is to ensure there is a system (a platform) in place on which you can deploy immediate remediation solutions such as scripts or signature-based scanning to prevent exploitation while you prepare to patch.
Scrubbing inbound data and enforcing protocol correctness should be part and parcel of any corporate security policy.
HTTP is increasingly risky, but it is also manageable if you remember that app security is a stack and then move to put in place protections at each layer of that stack.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...